forked from dashpay/dash
-
Notifications
You must be signed in to change notification settings - Fork 716
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge #2252: Fuzzing framework support
d059544 [Build] fuzz target, change LIBBITCOIN_ZEROCOIN link order. (furszy) 2396e6b [fuzz] Add ContextualCheckTransaction call to transaction target. (furszy) f0887a0 Fuzzing documentation "PIVX-fication" (furszy) 9631f46 [doc] add sanitizers documentation in developer-notes.md (furszy) 70a0ace tests: Test serialisation as part of deserialisation fuzzing. Test round-trip equality where possible. Avoid code repetition. (practicalswift) e1b92b6 ignore new fuzz targets gitignore (furszy) d058d8c tests: Add deserialization fuzzing harnesses (furszy) e1f666c tests: Remove TRANSACTION_DESERIALIZE (replaced by transaction fuzzer) (practicalswift) b5f291c tests: Add fuzzing harness for CheckTransaction(...), IsStandardTx(...) and other CTransaction related functions (furszy) 3205871 fuzz: Remove option --export_coverage from test_runner (MarcoFalke) 52693ee fuzz: Add option to merge input dir to test runner (MarcoFalke) 2b4f8aa doc: Remove --disable-ccache from docs (MarcoFalke) b54b1d6 tests: Improve test runner output in case of target errors (practicalswift) cd6134f test: Log output even if fuzzer failed (MarcoFalke) 48cd0c8 doc: Improve fuzzing docs for macOS users (Fabian Jahr) d642b67 [Build] Do not disable wallet when fuzz is enabled. (furszy) c3447b5 Update doc and CI config (qmma) 1266d3e Disable other targets when enable-fuzz is set (qmma) f28ac9a build: Allow to configure --with-sanitizers=fuzzer (MarcoFalke) 425742c fuzz: test_runner: Better error message when built with afl (MarcoFalke) 541f442 qa: Add test/fuzz/test_runner.py (MarcoFalke) 89fe5b2 Add missing LIBBITCOIN_ZMQ to test target (furszy) 58dbe79 add fuzzing binaries to gitignore. (furszy) 393a126 fuzz: Move deserialize tests to test/fuzz/deserialize.cpp (MarcoFalke) a568df5 test: Build fuzz targets into separate executables (furszy) d5dddde [test] fuzz: make test_one_input return void (MarcoFalke) 2e4ec58 [fuzzing] initialize chain params by default. (furszy) 08d8ebe [tests] Add libFuzzer support. (practicalswift) 84f72da [test] Speed up fuzzing by ~200x when using afl-fuzz (practicalswift) faf2be6 Init ECC context for test_bitcoin_fuzzy. (Gregory Maxwell) 11150df Make fuzzer actually test CTxOutCompressor (Pieter Wuille) d6f6a85 doc: Add bare-bones documentation for fuzzing (Wladimir J. van der Laan) 5c3b550 Simple fuzzing framework (pstratem) Pull request description: As the title says, adding fuzzing framework support so we can start getting serious on this area as well. Adapted the following PRs: * bitcoin#9172. * bitcoin#9354. * bitcoin#9691. * bitcoin#10415. * bitcoin#10440. * bitcoin#15043. * bitcoin#15047. * bitcoin#15295. * bitcoin#15399 (fabcfa5 only). * bitcoin#16338. * bitcoin#17051. * bitcoin#17076. * bitcoin#17225. * bitcoin#17942. * bitcoin#16236 (only fa35c42). * bitcoin#18166 (only f2472f6). * bitcoin#18300. * And.. probably will go further and continue adapting more PRs.. ACKs for top commit: random-zebra: utACK d059544 and merging... Tree-SHA512: c0b05bca47bf99bafd8abf1453c5636fe05df75f16d0e9c750368ea2aed8142f0b28d28af1d23468b8829188412a80fd3b7bdbbda294b940d78aec80c1c7d03a
- Loading branch information
Showing
15 changed files
with
1,041 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,138 @@ | ||
Fuzz-testing PIVX Core | ||
========================== | ||
|
||
A special test harness in `src/test/fuzz/` is provided for each fuzz target to | ||
provide an easy entry point for fuzzers and the like. In this document we'll | ||
describe how to use it with AFL and libFuzzer. | ||
|
||
## Preparing fuzzing | ||
|
||
The fuzzer needs some inputs to work on, but the inputs or seeds can be used | ||
interchangeably between libFuzzer and AFL. | ||
|
||
Extract the example seeds (or other starting inputs) into the inputs | ||
directory before starting fuzzing. | ||
|
||
``` | ||
git clone https://github.com/bitcoin-core/qa-assets | ||
export DIR_FUZZ_IN=$PWD/qa-assets/fuzz_seed_corpus | ||
``` | ||
|
||
AFL needs an input directory with examples, and an output directory where it | ||
will place examples that it found. These can be anywhere in the file system, | ||
we'll define environment variables to make it easy to reference them. | ||
|
||
So, only for AFL you need to configure the outputs path: | ||
|
||
``` | ||
mkdir outputs | ||
export AFLOUT=$PWD/outputs | ||
``` | ||
|
||
libFuzzer will use the input directory as output directory. | ||
|
||
## AFL | ||
|
||
### Building AFL | ||
|
||
It is recommended to always use the latest version of afl: | ||
``` | ||
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz | ||
tar -zxvf afl-latest.tgz | ||
cd afl-<version> | ||
make | ||
export AFLPATH=$PWD | ||
``` | ||
|
||
For macOS you may need to ignore x86 compilation checks when running `make`: | ||
`AFL_NO_X86=1 make`. | ||
|
||
### Instrumentation | ||
|
||
To build PIVX Core using AFL instrumentation (this assumes that the | ||
`AFLPATH` was set as above): | ||
``` | ||
./configure --disable-shared --enable-tests --enable-fuzz CC=${AFLPATH}/afl-gcc CXX=${AFLPATH}/afl-g++ | ||
export AFL_HARDEN=1 | ||
make | ||
``` | ||
|
||
If you are using clang you will need to substitute `afl-gcc` with `afl-clang` | ||
and `afl-g++` with `afl-clang++`, so the first line above becomes: | ||
``` | ||
./configure --disable-shared --enable-tests --enable-fuzz CC=${AFLPATH}/afl-clang CXX=${AFLPATH}/afl-clang++ | ||
``` | ||
|
||
We disable ccache because we don't want to pollute the ccache with instrumented | ||
objects, and similarly don't want to use non-instrumented cached objects linked | ||
in. | ||
|
||
The fuzzing can be sped up significantly (~200x) by using `afl-clang-fast` and | ||
`afl-clang-fast++` in place of `afl-gcc` and `afl-g++` when compiling. When | ||
compiling using `afl-clang-fast`/`afl-clang-fast++` the resulting | ||
binary will be instrumented in such a way that the AFL | ||
features "persistent mode" and "deferred forkserver" can be used. See | ||
https://github.com/google/AFL/tree/master/llvm_mode for details. | ||
|
||
### Fuzzing | ||
|
||
To start the actual fuzzing use: | ||
|
||
``` | ||
export FUZZ_TARGET=bech32 # Pick a fuzz_target | ||
mkdir ${AFLOUT}/${FUZZ_TARGET} | ||
$AFLPATH/afl-fuzz -i ${DIR_FUZZ_IN}/${FUZZ_TARGET} -o ${AFLOUT}/${FUZZ_TARGET} -m52 -- src/test/fuzz/${FUZZ_TARGET} | ||
``` | ||
|
||
You may have to change a few kernel parameters to test optimally - `afl-fuzz` | ||
will print an error and suggestion if so. | ||
|
||
On macOS you may need to set `AFL_NO_FORKSRV=1` to get the target to run. | ||
``` | ||
export FUZZ_TARGET=bech32 # Pick a fuzz_target | ||
mkdir ${AFLOUT}/${FUZZ_TARGET} | ||
AFL_NO_FORKSRV=1 $AFLPATH/afl-fuzz -i ${DIR_FUZZ_IN}/${FUZZ_TARGET} -o ${AFLOUT}/${FUZZ_TARGET} -m52 -- src/test/fuzz/${FUZZ_TARGET} | ||
``` | ||
|
||
## libFuzzer | ||
|
||
A recent version of `clang`, the address sanitizer and libFuzzer is needed (all | ||
found in the `compiler-rt` runtime libraries package). | ||
|
||
To build all fuzz targets with libFuzzer, run | ||
|
||
``` | ||
./configure --enable-fuzz --with-sanitizers=fuzzer,address CC=clang CXX=clang++ | ||
make | ||
``` | ||
|
||
See https://llvm.org/docs/LibFuzzer.html#running on how to run the libFuzzer | ||
instrumented executable. | ||
|
||
Alternatively, you can run the script through the fuzzing test harness (only | ||
libFuzzer supported so far). You need to pass it the inputs directory and | ||
the specific test target you want to run. | ||
|
||
``` | ||
./test/fuzz/test_runner.py ${DIR_FUZZ_IN} bech32 | ||
``` | ||
|
||
### macOS hints for libFuzzer | ||
|
||
The default clang/llvm version supplied by Apple on macOS does not include | ||
fuzzing libraries, so macOS users will need to install a full version, for | ||
example using `brew install llvm`. | ||
|
||
Should you run into problems with the address sanitizer, it is possible you | ||
may need to run `./configure` with `--disable-asm` to avoid errors | ||
with certain assembly code from PIVX Core's code. See [developer notes on sanitizers](https://github.com/PIVX-Project/PIVX/blob/master/doc/developer-notes.md#sanitizers) | ||
for more information. | ||
|
||
You may also need to take care of giving the correct path for clang and | ||
clang++, like `CC=/path/to/clang CXX=/path/to/clang++` if the non-systems | ||
clang does not come first in your path. | ||
|
||
Full configure that was tested on macOS Catalina with `brew` installed `llvm`: | ||
``` | ||
./configure --enable-fuzz --with-sanitizers=fuzzer,address,undefined CC=/usr/local/opt/llvm/bin/clang CXX=/usr/local/opt/llvm/bin/clang++ --disable-asm | ||
``` |
Oops, something went wrong.