-
Notifications
You must be signed in to change notification settings - Fork 969
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce Transaction Subsystem Fuzzing and Common Fuzzer Interface #2182
Conversation
More or less addressed everything above. Some of the hacky-est parts here will be benefited by the work being done in #2179. Specifically, I created a method called Will move this to Ready for Review once the PR mentioned above and #2155 are complete. |
Rebased against master. With #2179 merged, going to make some changes here based on that PR and undraft later today. |
This PR is now ready for review! It is rebased, commits logically organized, and has taken into consideration the comments above. Areas of uncertainty:
|
Appears I broke something. Not fuzzing correctly anymore. Will work on fixing tomorrow. |
My apologies for not finding the above bug before opening for review. Tested and everything works again as expected. Should be good for review again. |
Ok, should be good for another review. |
Ok @jonjove and @marta-lokhova, I believe I fixed up the code to adhere to your feedback. Two places I am still not 100% sure is:
I also cleaned up my sporadic commits. The first commit that addressed both y'all's feedback is (13be3d1f3fd2ff34f82fbe4ec252db3415bfa2d7) or the first one dated July 24. |
src/test/FuzzerImpl.cpp
Outdated
|
||
// we need an extra db cache clear here since the db prepared | ||
// statement cache may persist between tryRead loops | ||
mApp->getDatabase().clearPreparedStatementCache(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resetTxInternalState
should call clearPreparedStatementCache
src/test/FuzzerImpl.cpp
Outdated
|
||
// we need an extra db cache clear here since the db prepared | ||
// statement cache may persist between tryRead loops | ||
mApp->getDatabase().clearPreparedStatementCache(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suspect you need to call clearPreparedStatementCache
after ltx
goes out of scope just to be sure things are reset the way you want
r+ a9468013d6a4c955dba8580bba96789803698946 |
@MonsieurNicolas accidentally turned off format for a commit, fixed now |
r+ 60b38b41535e1d31c092ecbe633a92bab03f9659 |
My apologies -- the fuzzer utilized a method behind |
…ate method for fuzzer
r+ c2cd2fc |
Introduce Transaction Subsystem Fuzzing and Common Fuzzer Interface Reviewed-by: MonsieurNicolas
Some Background
Fuzzing is a test strategy that performs automated binary executions with randomly generated/mutated inputs, monitoring for program crashes. It is useful for increasing test coverage by discovery of obscure, unthought-of, and interesting edge cases.
The basic process works as so:
There are many fuzz testing tools out there such as libFuzzer, AFL, and Peach Fuzzer. For the time being, I have implemented a test harness to work with AFL.
Description
This builds on #2155, introducing a transaction subsystem fuzzer.
A significant portion of the work here was integrating the introduced transaction fuzzer with AFL's persistent mode. Persistent mode allows for multiple executions of the binary in a single long-lived process, significantly improving executions per second since the expensive state setup can be limited to every 1,000th, or even 1,000,000th execution. Areas where determinism improved include:
This PR also defines a common interface for fuzzing various subsystems, allowing one to utilize a CLI flag to switch between
Overlay
andTransaction
fuzzing.Finally, this PR includes an option to specify
process_id
, allowing for easy parallelization of fuzzing (as supported by AFL).Further progress of #1376
Future Work
Generating transactions with more operations
To demonstrate functionality, I restricted the fuzzer to a subset of operations:
ACCOUNT_MERGE
andPAYMENT
of native assets. Running against protocol 4, the fuzzer discovered the double merge bug described here. This set will be expanded as I extend the fuzz test harness methodically, focusing first on discovery of the rest of the historical bugs in chronological order.Improving Fuzzer Efficiency
I also spent some time thinking about how to meaningfully and unobstructively limit the fuzz space. For example, I use a small set of pre-generated accounts for operations. Since I do this, and cause a disconnect between what the fuzzer fuzzes and what is actually fed to Stellar-core, cpu time spent incrementing and flipping bits in the
AccountID
property of XDR's is wasted time. Thus, I feed the fuzzer an initial corpus of operations with all bytes of theAccountID
zero'd out except for the 32nd byte to nudge it in the right direction.Note for Reviewers
Dependent on and rebased against #2155.
Checklist
clang-format
v5.0.0 (viamake format
or the Visual Studio extension)