Merge #261: Switch to cargo-fuzz

ae12708 chore: Delete fuzz nix shells (Christian Lewe)
98430c2 chore: Add cargo-fuzz files to .gitignore (Christian Lewe)
6362db7 refactor: Update fuzz scripts (Christian Lewe)
9d05999 refactor: Port fuzz crate to cargo-fuzz (Christian Lewe)
2aa015f chore: Bump MSRV 1.63.0 -> 1.78.0 (Christian Lewe)

Pull request description:

  Adapt the fuzzing infrastructure to use cargo-fuzz. I keep the existing shell scripts because they turned out to be useful.

  Everything should work as before, except that the `fuzzing` flag is producing warnings when the tests are run. Let's discuss solutions here.

ACKs for top commit:
  apoelstra:
    ACK ae12708

Tree-SHA512: 0a85e42ff7c08f682e7d4697bb2183a24915d9baa2486d5a7f7bc00d5ab5d20a634fda452efc5209466626c22a3ceff9de2deef736d879e183fb8929c1923917

Author: apoelstra

.github/workflows/fuzz.yml

@@ -23,9 +23,6 @@ decode_program,
 parse_human,
         ]
     steps:
-      - name: Install test dependencies
-        run: sudo apt-get update -y && sudo apt-get install -y binutils-dev libunwind8-dev libcurl4-openssl-dev libelf-dev libdw-dev cmake gcc libiberty-dev
-
       - name: Checkout Crate
         uses: actions/checkout@v4
 
@@ -38,15 +35,18 @@ parse_human,
             fuzz/target
             target
           key: cache-${{ matrix.target }}-${{ hashFiles('**/Cargo.toml','**/Cargo.lock') }}
+
       - name: Install Toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: '1.65.0'
+          toolchain: nightly-2024-07-01
+          components: "llvm-tools-preview"
+
+      - name: Install Dependencies
+        run: cargo update && cargo update -p cc --precise 1.0.83 && cargo install cargo-fuzz
 
       - name: Run Fuzz Target
-        run: |
-          echo "Using RUSTFLAGS $RUSTFLAGS"
-          cd fuzz && cargo update && cargo update -p cc --precise 1.0.83 && ./fuzz.sh "${{ matrix.fuzz_target }}"
+        run: ./fuzz/fuzz.sh "${{ matrix.fuzz_target }}"
 
       - name: Prepare Artifact
         run: echo "${{ matrix.fuzz_target }}" >executed_${{ matrix.fuzz_target }}

.github/workflows/main.yml

@@ -54,7 +54,7 @@ jobs:
           - stable
           - beta
           - nightly
-          - 1.63.0
+          - 1.78.0
     steps:
       - name: Checkout Crate
         uses: actions/checkout@v4

.gitignore

@@ -10,6 +10,8 @@ Cargo.lock
 #fuzz
 fuzz/hfuzz_target
 fuzz/hfuzz_workspace
+fuzz/artifacts
+fuzz/corpus
 
 #IntelliJ project files
 .idea

Cargo-recent.lock

@@ -8,7 +8,7 @@ repository = "https://github.com/BlockstreamResearch/rust-simplicity/"
 documentation = "https://docs.rs/simplicity-lang/"
 description = "General purpose library for processing Simplicity programs"
 edition = "2021"
-rust-version = "1.63.0"
+rust-version = "1.78.0"
 
 [features]
 default = ["elements"]

Cargo.toml

@@ -5,7 +5,7 @@ Under development....
 
 # Minimum Supported Rust Version
 
-The MSRV of this crate is **1.63.0**.
+The MSRV of this crate is **1.78.0**.
 
 # Updating jets code
 

README.md

@@ -1,4 +1,4 @@
-msrv = "1.63.0"
+msrv = "1.78.0"
 
 # Default 250, not sure what units. But it does not like the generic node stuff.
 type-complexity-threshold = 1000

clippy.toml

@@ -1,7 +1,7 @@
 [package]
 name = "simplicity-fuzz"
 edition = "2021"
-rust-version = "1.63.0"
+rust-version = "1.78.0"
 version = "0.0.1"
 authors = ["Generated by fuzz/generate-files.sh"]
 publish = false
@@ -10,21 +10,39 @@ publish = false
 cargo-fuzz = true
 
 [dependencies]
-honggfuzz = { version = "0.5.55", default-features = false }
+libfuzzer-sys = "0.4"
 simplicity-lang = { path = "..", features = ["test-utils"] }
 
+[dev-dependencies]
+base64 = "0.22.1"
+
+[lints.rust]
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(fuzzing)'] }
+
 [[bin]]
 name = "c_rust_merkle"
 path = "fuzz_targets/c_rust_merkle.rs"
+test = false
+doc = false
+bench = false
 
 [[bin]]
 name = "decode_natural"
 path = "fuzz_targets/decode_natural.rs"
+test = false
+doc = false
+bench = false
 
 [[bin]]
 name = "decode_program"
 path = "fuzz_targets/decode_program.rs"
+test = false
+doc = false
+bench = false
 
 [[bin]]
 name = "parse_human"
 path = "fuzz_targets/parse_human.rs"
+test = false
+doc = false
+bench = false

fuzz/Cargo.toml

@@ -2,10 +2,10 @@
 
 # Continuosly cycle over fuzz targets running each for 1 hour.
 # It uses chrt SCHED_IDLE so that other process takes priority.
-#
-# For hfuzz options see https://github.com/google/honggfuzz/blob/master/docs/USAGE.md
 
-set -e
+set -o errexit # exit immediately if any command fails
+set -o xtrace # print trace of executed commands
+
 REPO_DIR=$(git rev-parse --show-toplevel)
 # shellcheck source=./fuzz-util.sh
 source "$REPO_DIR/fuzz/fuzz-util.sh"
@@ -14,12 +14,11 @@ while :
 do
   for targetFile in $(listTargetFiles); do
     targetName=$(targetFileToName "$targetFile")
-    echo "Fuzzing target $targetName ($targetFile)"
 
     # fuzz for one hour
-    HFUZZ_RUN_ARGS='--run_time 3600' chrt -i 0 cargo hfuzz run "$targetName"
+    chrt -i 0 cargo-fuzz run "$targetName" -- -max_total_time=3600
     # minimize the corpus
-    HFUZZ_RUN_ARGS="-i hfuzz_workspace/$targetName/input/ -P -M" chrt -i 0 cargo hfuzz run "$targetName"
+    cargo-fuzz cmin "$targetName"
   done
 done
 

fuzz/cycle.sh

@@ -15,14 +15,6 @@ targetFileToName() {
     | sed 's/\//_/g'
 }
 
-targetFileToHFuzzInputArg() {
-  baseName=$(basename "$1")
-  dirName="${baseName%.*}"
-  if [ -d "hfuzz_input/$dirName" ]; then
-    echo "HFUZZ_INPUT_ARGS=\"-f hfuzz_input/$FILE/input\""
-  fi
-}
-
 listTargetNames() {
   for target in $(listTargetFiles); do
     targetFileToName "$target"
@@ -37,23 +29,3 @@ checkWindowsFiles() {
     exit 2
   fi
 }
-
-# Checks whether a fuzz case output some report, and dumps it in hex
-getReport() {
-  reportFile="hfuzz_workspace/$1/HONGGFUZZ.REPORT.TXT"
-  if [ -f "$reportFile" ]; then
-    cat "$reportFile"
-    for CASE in "hfuzz_workspace/$1/SIG"*; do
-      xxd -p -c10000 < "$CASE"
-    done
-    return 1
-  fi
-  return 0
-}
-
-# Check for reports and exit if there are any
-checkReport() {
-  if ! getReport "$1"; then
-    exit 1
-  fi
-}

fuzz/fuzz-util.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
-set -ex
+set -o errexit # exit immediately if any command fails
+set -o xtrace # print trace of executed commands
 
 REPO_DIR=$(git rev-parse --show-toplevel)
 
@@ -18,17 +19,8 @@ fi
 cargo --version
 rustc --version
 
-# Testing
-cargo install --force honggfuzz --no-default-features
+# Run fuzz target
 for targetFile in $targetFiles; do
   targetName=$(targetFileToName "$targetFile")
-  echo "Fuzzing target $targetName ($targetFile)"
-  if [ -d "hfuzz_input/$targetName" ]; then
-    HFUZZ_INPUT_ARGS="-f hfuzz_input/$targetName/input\""
-  else
-    HFUZZ_INPUT_ARGS=""
-  fi
-  HFUZZ_RUN_ARGS="--run_time 30 --exit_upon_crash -v $HFUZZ_INPUT_ARGS" cargo hfuzz run "$targetName"
-
-  checkReport "$targetName"
+  cargo-fuzz run "$targetName" -- -max_total_time=30
 done

fuzz/fuzz.sh

@@ -1,13 +1,14 @@
 // SPDX-License-Identifier: CC0-1.0
 
-use honggfuzz::fuzz;
-
-use simplicity::ffi::tests::{ffi::SimplicityErr, run_program, TestUpTo};
-use simplicity::hashes::sha256::Midstate;
-use simplicity::jet::Elements;
-use simplicity::{BitIter, RedeemNode};
+#![cfg_attr(fuzzing, no_main)]
 
+#[cfg(any(fuzzing, test))]
 fn do_test(data: &[u8]) {
+    use simplicity::ffi::tests::{ffi::SimplicityErr, run_program, TestUpTo};
+    use simplicity::hashes::sha256::Midstate;
+    use simplicity::jet::Elements;
+    use simplicity::{BitIter, RedeemNode};
+
     // To decode the program length, we first try decoding the program using
     // `decode_expression` which will not error on a length check. Alternately
     // we could decode using RedeemNode::decode and then extract the length
@@ -54,37 +55,21 @@ fn do_test(data: &[u8]) {
     }
 }
 
-fn main() {
-    loop {
-        fuzz!(|data| {
-            do_test(data);
-        });
-    }
-}
+#[cfg(fuzzing)]
+libfuzzer_sys::fuzz_target!(|data| do_test(data));
+
+#[cfg(not(fuzzing))]
+fn main() {}
 
 #[cfg(test)]
 mod tests {
-    fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
-        let mut b = 0;
-        for (idx, c) in hex.as_bytes().iter().enumerate() {
-            b <<= 4;
-            match *c {
-                b'A'..=b'F' => b |= c - b'A' + 10,
-                b'a'..=b'f' => b |= c - b'a' + 10,
-                b'0'..=b'9' => b |= c - b'0',
-                _ => panic!("Bad hex"),
-            }
-            if (idx & 1) == 1 {
-                out.push(b);
-                b = 0;
-            }
-        }
-    }
+    use base64::Engine;
 
     #[test]
     fn duplicate_crash() {
-        let mut a = Vec::new();
-        extend_vec_from_hex("ffffff0000010080800000000000380000001adfc7040000000000000000000007fffffffffffffe1000000000000000000001555600000000000000000000000000000000000000000000000000000000000000000000ffffffffffffff0300000000000000000000000000000000000000000000000000008000000000000000ffffffffffffff7f00000000000000ffffff151515111515155555555555d6eeffffff00", &mut a);
-        super::do_test(&a);
+        let data = base64::prelude::BASE64_STANDARD
+            .decode("Cg==")
+            .expect("base64 should be valid");
+        super::do_test(&data);
     }
 }

fuzz/fuzz_targets/c_rust_merkle.rs

@@ -1,11 +1,12 @@
 // SPDX-License-Identifier: CC0-1.0
 
-use honggfuzz::fuzz;
-
-use simplicity::encode_natural;
-use simplicity::{BitIter, BitWriter};
+#![cfg_attr(fuzzing, no_main)]
 
+#[cfg(any(fuzzing, test))]
 fn do_test(data: &[u8]) {
+    use simplicity::encode_natural;
+    use simplicity::{BitIter, BitWriter};
+
     let mut iter = BitIter::new(data.iter().cloned());
 
     if let Ok(natural) = iter.read_natural(None) {
@@ -28,37 +29,21 @@ fn do_test(data: &[u8]) {
     }
 }
 
-fn main() {
-    loop {
-        fuzz!(|data| {
-            do_test(data);
-        });
-    }
-}
+#[cfg(fuzzing)]
+libfuzzer_sys::fuzz_target!(|data| do_test(data));
+
+#[cfg(not(fuzzing))]
+fn main() {}
 
 #[cfg(test)]
 mod tests {
-    fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
-        let mut b = 0;
-        for (idx, c) in hex.as_bytes().iter().enumerate() {
-            b <<= 4;
-            match *c {
-                b'A'..=b'F' => b |= c - b'A' + 10,
-                b'a'..=b'f' => b |= c - b'a' + 10,
-                b'0'..=b'9' => b |= c - b'0',
-                _ => panic!("Bad hex"),
-            }
-            if (idx & 1) == 1 {
-                out.push(b);
-                b = 0;
-            }
-        }
-    }
+    use base64::Engine;
 
     #[test]
     fn duplicate_crash() {
-        let mut a = Vec::new();
-        extend_vec_from_hex("00000", &mut a);
-        super::do_test(&a);
+        let data = base64::prelude::BASE64_STANDARD
+            .decode("Cg==")
+            .expect("base64 should be valid");
+        super::do_test(&data);
     }
 }

fuzz/fuzz_targets/decode_natural.rs

@@ -1,11 +1,12 @@
 // SPDX-License-Identifier: CC0-1.0
 
-use honggfuzz::fuzz;
-
-use simplicity::jet::Core;
-use simplicity::{BitIter, BitWriter, RedeemNode};
+#![cfg_attr(fuzzing, no_main)]
 
+#[cfg(any(fuzzing, test))]
 fn do_test(data: &[u8]) {
+    use simplicity::jet::Core;
+    use simplicity::{BitIter, BitWriter, RedeemNode};
+
     let prog_iter = BitIter::new(data.iter().cloned());
     let wit_iter = BitIter::new(core::iter::repeat(0));
     if let Ok(program) = RedeemNode::<Core>::decode(prog_iter, wit_iter) {
@@ -24,37 +25,21 @@ fn do_test(data: &[u8]) {
     }
 }
 
-fn main() {
-    loop {
-        fuzz!(|data| {
-            do_test(data);
-        });
-    }
-}
+#[cfg(fuzzing)]
+libfuzzer_sys::fuzz_target!(|data| do_test(data));
+
+#[cfg(not(fuzzing))]
+fn main() {}
 
 #[cfg(test)]
 mod tests {
-    fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
-        let mut b = 0;
-        for (idx, c) in hex.as_bytes().iter().enumerate() {
-            b <<= 4;
-            match *c {
-                b'A'..=b'F' => b |= c - b'A' + 10,
-                b'a'..=b'f' => b |= c - b'a' + 10,
-                b'0'..=b'9' => b |= c - b'0',
-                _ => panic!("Bad hex"),
-            }
-            if (idx & 1) == 1 {
-                out.push(b);
-                b = 0;
-            }
-        }
-    }
+    use base64::Engine;
 
     #[test]
     fn duplicate_crash() {
-        let mut a = Vec::new();
-        extend_vec_from_hex("00000", &mut a);
-        super::do_test(&a);
+        let data = base64::prelude::BASE64_STANDARD
+            .decode("Cg==")
+            .expect("base64 should be valid");
+        super::do_test(&data);
     }
 }

fuzz/fuzz_targets/decode_program.rs

@@ -1,12 +1,13 @@
 // SPDX-License-Identifier: CC0-1.0
 
-use honggfuzz::fuzz;
-use simplicity::human_encoding::Forest;
-use simplicity::jet::Elements;
-use std::str;
+#![cfg_attr(fuzzing, no_main)]
 
+#[cfg(any(fuzzing, test))]
 fn do_test(data: &[u8]) {
-    let s = match str::from_utf8(data) {
+    use simplicity::human_encoding::Forest;
+    use simplicity::jet::Elements;
+
+    let s = match std::str::from_utf8(data) {
         Ok(s) => s,
         Err(_) => return,
     };
@@ -18,37 +19,21 @@ fn do_test(data: &[u8]) {
     }
 }
 
-fn main() {
-    loop {
-        fuzz!(|data| {
-            do_test(data);
-        });
-    }
-}
+#[cfg(fuzzing)]
+libfuzzer_sys::fuzz_target!(|data| do_test(data));
+
+#[cfg(not(fuzzing))]
+fn main() {}
 
 #[cfg(test)]
 mod tests {
-    fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
-        let mut b = 0;
-        for (idx, c) in hex.as_bytes().iter().enumerate() {
-            b <<= 4;
-            match *c {
-                b'A'..=b'F' => b |= c - b'A' + 10,
-                b'a'..=b'f' => b |= c - b'a' + 10,
-                b'0'..=b'9' => b |= c - b'0',
-                _ => panic!("Bad hex"),
-            }
-            if (idx & 1) == 1 {
-                out.push(b);
-                b = 0;
-            }
-        }
-    }
+    use base64::Engine;
 
     #[test]
     fn duplicate_crash() {
-        let mut a = Vec::new();
-        extend_vec_from_hex("00", &mut a);
-        super::do_test(&a);
+        let data = base64::prelude::BASE64_STANDARD
+            .decode("Cg==")
+            .expect("base64 should be valid");
+        super::do_test(&data);
     }
 }

fuzz/fuzz_targets/parse_human.rs

@@ -12,7 +12,7 @@ cat > "$REPO_DIR/fuzz/Cargo.toml" <<EOF
 [package]
 name = "simplicity-fuzz"
 edition = "2021"
-rust-version = "1.63.0"
+rust-version = "1.78.0"
 version = "0.0.1"
 authors = ["Generated by fuzz/generate-files.sh"]
 publish = false
@@ -21,8 +21,11 @@ publish = false
 cargo-fuzz = true
 
 [dependencies]
-honggfuzz = { version = "0.5.55", default-features = false }
+libfuzzer-sys = "0.4"
 simplicity-lang = { path = "..", features = ["test-utils"] }
+
+[dev-dependencies]
+base64 = "0.22.1"
 EOF
 
 for targetFile in $(listTargetFiles); do
@@ -32,6 +35,9 @@ for targetFile in $(listTargetFiles); do
 [[bin]]
 name = "$targetName"
 path = "$targetFile"
+test = false
+doc = false
+bench = false
 EOF
 done
 
@@ -59,9 +65,6 @@ jobs:
 $(for name in $(listTargetNames); do echo "$name,"; done)
         ]
     steps:
-      - name: Install test dependencies
-        run: sudo apt-get update -y && sudo apt-get install -y binutils-dev libunwind8-dev libcurl4-openssl-dev libelf-dev libdw-dev cmake gcc libiberty-dev
-
       - name: Checkout Crate
         uses: actions/checkout@v4
 
@@ -74,15 +77,18 @@ $(for name in $(listTargetNames); do echo "$name,"; done)
             fuzz/target
             target
           key: cache-\${{ matrix.target }}-\${{ hashFiles('**/Cargo.toml','**/Cargo.lock') }}
+
       - name: Install Toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: '1.65.0'
+          toolchain: nightly-2024-07-01
+          components: "llvm-tools-preview"
+
+      - name: Install Dependencies
+        run: cargo update && cargo update -p cc --precise 1.0.83 && cargo install cargo-fuzz
 
       - name: Run Fuzz Target
-        run: |
-          echo "Using RUSTFLAGS \$RUSTFLAGS"
-          cd fuzz && cargo update && cargo update -p cc --precise 1.0.83 && ./fuzz.sh "\${{ matrix.fuzz_target }}"
+        run: ./fuzz/fuzz.sh "\${{ matrix.fuzz_target }}"
 
       - name: Prepare Artifact
         run: echo "\${{ matrix.fuzz_target }}" >executed_\${{ matrix.fuzz_target }}

fuzz/generate-files.sh

@@ -7,7 +7,7 @@ repository = "https://github.com/BlockstreamResearch/rust-simplicity/"
 documentation = "https://docs.rs/simplicity-sys/"
 description = "FFI bindings to libsimplicity"
 edition = "2021"
-rust-version = "1.63.0"
+rust-version = "1.78.0"
 
 [build-dependencies]
 cc = "1.0.83"

fuzz/honggfuzz-rs.nix

@@ -53,7 +53,7 @@ impl CFrameItem {
 
 /// Number of UWORDs required to hold n bits
 pub fn uword_width(n_bits: usize) -> usize {
-    (n_bits + 8 * mem::size_of::<UWORD>() - 1) / (8 * mem::size_of::<UWORD>())
+    n_bits.div_ceil(8 * mem::size_of::<UWORD>())
 }
 
 /// Number of bytes required to hold n bits