Add: ST fuzzing harnesses with logging + validation hooks

- add ST20/ST22/ST30/ST40 fuzz harnesses, shared Meson wiring, and pytest runner
- enable DEBUG-level MTL logging within the fuzz binaries and surface detailed ST40 drop reasons
- document how to build/run fuzzers (Meson/build.sh, pytest nightly marker, logging behavior)
- clean up legacy enable_fuzzing_st40 options in build scripts
- fix sample/ext_frame plane math and noctx handler assertions to reflect frame[0] usage
- propagate pacing fixes and ancillary logging hooks inside rx/tx session code
- refresh validation configs to capture fuzz logs and new helper assets

Author: moleksy

README.md

@@ -78,7 +78,7 @@ An important point to note is that narrow pacing of TX is only supported for the
 
 ## 2. Build
 
-Please refer to [Build Guide](doc/build.md) for instructions on how to build DPDK, the library, and the sample application.
+Please refer to [Build Guide](doc/build.md) for instructions on how to build DPDK, the library, and the sample application. Guidance for the fuzz targets lives in [doc/fuzzing.md](doc/fuzzing.md).
 
 For Windows, please refer to the [Windows Build Guide](doc/build_WIN.md) for instructions on how to build.
 

app/sample/ext_frame/rx_st20_pipeline_dyn_ext_frame_sample.c

@@ -49,12 +49,13 @@ static int rx_st20p_query_ext_frame(void* priv, struct st_ext_frame* ext_frame,
   ext_frame->size = s->ext_frames[i].buf_len;
 
   uint8_t* addr = ext_frame->addr[0];
-  uint8_t planes = st_frame_fmt_planes(meta->fmt);
+  enum st_frame_fmt frame_fmt = st_frame_fmt_from_transport(meta->fmt);
+  uint8_t planes = st_frame_fmt_planes(frame_fmt);
   for (int plane = 0; plane < planes; plane++) {
     if (plane > 0)
       ext_frame->iova[plane] =
           ext_frame->iova[plane - 1] + ext_frame->linesize[plane - 1] * meta->height;
-    ext_frame->linesize[plane] = st_frame_least_linesize(meta->fmt, meta->width, plane);
+    ext_frame->linesize[plane] = st_frame_least_linesize(frame_fmt, meta->width, plane);
     ext_frame->addr[plane] = addr;
     addr += ext_frame->linesize[plane] * meta->height;
   }

build.sh

@@ -8,18 +8,20 @@ set -e
 user=$(whoami)
 
 function usage() {
-	echo "Usage: $0 [debug/debugoptimized/plain/release]"
+	echo "Usage: $0 [debug|debugonly|debugoptimized|plain|release] [enable_fuzzing]"
 	exit 0
 }
 
 buildtype=release
 enable_asan=false
 enable_tap=false
 enable_usdt=true
+enable_fuzzing=false
 
 : "${MTL_BUILD_ENABLE_ASAN:=false}"
 : "${MTL_BUILD_ENABLE_TAP:=false}"
 : "${MTL_BUILD_DISABLE_USDT:=false}"
+: "${MTL_BUILD_ENABLE_FUZZING:=false}"
 
 if [ "$MTL_BUILD_ENABLE_ASAN" == "true" ]; then
 	enable_asan=true
@@ -37,7 +39,12 @@ if [ "$MTL_BUILD_DISABLE_USDT" == "true" ]; then
 	echo "Disable USDT"
 fi
 
-if [ -n "$1" ]; then
+if [ "$MTL_BUILD_ENABLE_FUZZING" == "true" ]; then
+	enable_fuzzing=true
+	echo "Enable fuzzers"
+fi
+
+while [ $# -gt 0 ]; do
 	case $1 in
 	"debug")
 		buildtype=debug
@@ -55,11 +62,16 @@ if [ -n "$1" ]; then
 	"release")
 		buildtype=release
 		;;
+	"enable_fuzzing" | "--enable-fuzzing")
+		enable_fuzzing=true
+		echo "Enable fuzzers"
+		;;
 	*)
 		usage
 		;;
 	esac
-fi
+	shift
+done
 
 WORKSPACE=$PWD
 LIB_BUILD_DIR=${WORKSPACE}/build
@@ -71,7 +83,7 @@ MANAGER_BUILD_DIR=${WORKSPACE}/build/manager
 RXTXAPP_BUILD_DIR=${WORKSPACE}/tests/tools/RxTxApp/build
 
 # build lib
-meson setup "${LIB_BUILD_DIR}" -Dbuildtype="$buildtype" -Denable_asan="$enable_asan" -Denable_tap="$enable_tap" -Denable_usdt="$enable_usdt"
+meson setup "${LIB_BUILD_DIR}" -Dbuildtype="$buildtype" -Denable_asan="$enable_asan" -Denable_tap="$enable_tap" -Denable_usdt="$enable_usdt" -Denable_fuzzing="$enable_fuzzing"
 pushd "${LIB_BUILD_DIR}"
 ninja
 if [ "$user" == "root" ] || [ "$OS" == "Windows_NT" ]; then

doc/fuzzing.md

@@ -0,0 +1,131 @@
+# ST40/ST30/ST20/ST22 RX Fuzzing
+
+This repository now provides libFuzzer harnesses that exercise the runtime ST40 RX
+ancillary packet path, the ancillary helper utilities, the ST30 RX audio frame path,
+and the ST20/ST22 RX video frame pipelines. The harnesses are built only when the
+dedicated Meson option is enabled because they pull in DPDK and need an EAL
+environment.
+
+## Build Requirements
+
+- Clang/LLVM with `-fsanitize=fuzzer` support **or** a standalone `libFuzzer` library.
+- DPDK must already be available, as required by the main library build.
+- Linux is recommended; the harnesses rely on EAL flags such as `--no-huge` and
+  `--in-memory`.
+
+## Enabling The Harnesses
+
+You can turn the fuzzers on either directly through Meson **or** via the top-level
+`build.sh` helper:
+
+```sh
+meson setup build -Denable_fuzzing=true
+```
+
+```sh
+./build.sh release enable_fuzzing
+# or export MTL_BUILD_ENABLE_FUZZING=true before invoking build.sh
+```
+
+Add `-Denable_asan=true` (or `MTL_BUILD_ENABLE_ASAN=true`) if you also want
+AddressSanitizer instrumentation. Existing build directories can be reconfigured with
+`meson configure build -Denable_fuzzing=true`.
+
+Meson injects the `MTL_ENABLE_FUZZING_ST40`, `MTL_ENABLE_FUZZING_ST30`,
+`MTL_ENABLE_FUZZING_ST20`, and `MTL_ENABLE_FUZZING_ST22` defines so the RX
+implementation exposes the minimal helper hooks required by the fuzzers.
+
+## Building
+
+After configuration simply run the standard build:
+
+```sh
+ninja -C build
+```
+
+The following fuzz targets will be produced inside `build/tests/fuzz/`:
+
+- `st40_rx_rtp_fuzz` – feeds arbitrary RTP payloads through
+  `rx_ancillary_session_handle_pkt`, using a lightweight DPDK/EAL bootstrap.
+- `st40_ancillary_helpers_fuzz` – targets the pure helper functions in
+  `st_ancillary.c` (`st40_set_udw`, `st40_get_udw`, parity helpers, checksum, etc.).
+- `st30_rx_frame_fuzz` – injects fuzzed RFC3550 audio RTP packets into the
+  frame-level ST30 RX path, allocating a tiny in-memory framebuffer to exercise the
+  sequencing and framing logic.
+- `st20_rx_frame_fuzz` – drives the frame-level ST20 video RX path, including slot
+  management, RTP parsing, bitmap tracking, and framebuffer assembly for
+  RFC4175-formatted video payloads.
+- `st22_rx_frame_fuzz` – targets the ST22 codestream RX path, validating packetized
+  codestream parsing, JPVS/COLR box handling, and codestream reassembly logic.
+
+## Running
+
+Each target is a standalone libFuzzer executable. A minimal invocation looks like:
+
+```sh
+./build/tests/fuzz/st40_rx_rtp_fuzz -runs=1000 corpus_dir
+```
+
+The harness configures EAL internally (`--no-huge --in-memory --no-shconf -c1 -n1`),
+so no additional environment setup is required beyond access to `/dev/hugepages` not
+being mandatory.
+
+A similar invocation drives the ST30 frame harness:
+
+```sh
+./build/tests/fuzz/st30_rx_frame_fuzz -max_total_time=60 corpus_audio
+```
+
+And the new ST20/ST22 video harnesses can be exercised with:
+
+```sh
+./build/tests/fuzz/st20_rx_frame_fuzz -max_total_time=60 corpus_video
+./build/tests/fuzz/st22_rx_frame_fuzz -max_total_time=60 corpus_codestream
+```
+
+For long fuzzing sessions point the binary at a writable corpus directory. The helper
+fuzzer works the same way:
+
+```sh
+./build/tests/fuzz/st40_ancillary_helpers_fuzz -max_total_time=60 corpus_helpers
+```
+
+### Pytest integration
+
+The validation suite drives every fuzz target with long-running libFuzzer passes and
+streams the combined libFuzzer/MTL output into
+`tests/validation/logs/latest/pytest.log`. Execute:
+
+```sh
+pytest tests/validation/fuzzing/test_fuzzing.py -k fuzz
+```
+
+Each test carries `@pytest.mark.nightly` and runs `-runs=500000` iterations by default
+(override via `MTL_FUZZ_TEST_RUNS`). That keeps quick developer test shards short while
+allowing the nightly job to exercise a deeper corpus.
+
+### Logging during fuzzing
+
+All harnesses automatically raise the MTL and DPDK log level to `DEBUG` and install a
+custom printer that forwards every log line to `stderr`. When invoked through pytest (or
+manually), you will see `MTL:`-prefixed lines for interesting events—payload-type / SSRC
+mismatches, redundant packets, enqueue failures, etc.—inside the test logs without any
+extra configuration.
+
+## Notes
+
+- The RX harness drains the session ring immediately after notifying the callback so
+  mbufs are always released, which keeps memory usage stable even under ASan.
+- Inputs must be at least the size of an RFC8331 ancillary header (62 bytes) to ensure
+  the handler never reads beyond the provided mbuf.
+- All harnesses cap their input size to fit inside a standard DPDK mbuf (2 KiB) to
+  avoid oversized allocations during fuzzing.
+- The ST30 harness requires inputs large enough to contain an RFC3550 audio header
+  (12 bytes). Packets larger than 2 KiB are truncated so they still fit within a
+  single mbuf.
+- The ST20 harness expects RFC4175-style video payloads (12-byte RTP header plus
+  video-specific extensions). Packets shorter than the combined header size are
+  ignored.
+- The ST22 harness operates on RFC9134 codestream packets. Inputs must include at
+  least the base JP2K header; larger payloads exercise the box parsing and codestream
+  completion/marker logic.

lib/src/st2110/st_rx_ancillary_session.c

@@ -9,6 +9,14 @@
 #include "../mt_stat.h"
 #include "st_ancillary_transmitter.h"
 
+#ifdef MTL_ENABLE_FUZZING_ST40
+#define ST40_FUZZ_LOG(...) info(__VA_ARGS__)
+#else
+#define ST40_FUZZ_LOG(...) \
+  do {                     \
+  } while (0)
+#endif
+
 /* call rx_ancillary_session_put always if get successfully */
 static inline struct st_rx_ancillary_session_impl* rx_ancillary_session_get(
     struct st_rx_ancillary_sessions_mgr* mgr, int idx) {
@@ -100,6 +108,10 @@ static int rx_ancillary_session_handle_pkt(struct mtl_main_impl* impl,
   uint32_t tmstamp = ntohl(rtp->tmstamp);
 
   if (ops->payload_type && (payload_type != ops->payload_type)) {
+#ifdef MTL_ENABLE_FUZZING_ST40
+    ST40_FUZZ_LOG("%s(%d,%d), drop payload_type %u expected %u\n", __func__, s->idx,
+                  s_port, payload_type, ops->payload_type);
+#endif
     dbg("%s(%d,%d), get payload_type %u but expect %u\n", __func__, s->idx, s_port,
         payload_type, ops->payload_type);
     ST_SESSION_STAT_INC(s, port_user_stats.common, stat_pkts_wrong_pt_dropped);
@@ -108,6 +120,10 @@ static int rx_ancillary_session_handle_pkt(struct mtl_main_impl* impl,
   if (ops->ssrc) {
     uint32_t ssrc = ntohl(rtp->ssrc);
     if (ssrc != ops->ssrc) {
+#ifdef MTL_ENABLE_FUZZING_ST40
+      ST40_FUZZ_LOG("%s(%d,%d), drop ssrc %u expected %u\n", __func__, s->idx, s_port,
+                    ssrc, ops->ssrc);
+#endif
       dbg("%s(%d,%d), get ssrc %u but expect %u\n", __func__, s->idx, s_port, ssrc,
           ops->ssrc);
       ST_SESSION_STAT_INC(s, port_user_stats.common, stat_pkts_wrong_ssrc_dropped);
@@ -117,6 +133,10 @@ static int rx_ancillary_session_handle_pkt(struct mtl_main_impl* impl,
 
   /* Drop if F is 0b01 (invalid: bit 0 set, bit 1 clear) */
   if ((rfc8331->first_hdr_chunk.f & 0x3) == 0x1) {
+#ifdef MTL_ENABLE_FUZZING_ST40
+    ST40_FUZZ_LOG("%s(%d,%d), drop invalid field bits 0x%x\n", __func__, s->idx, s_port,
+                  rfc8331->first_hdr_chunk.f);
+#endif
     ST_SESSION_STAT_INC(s, port_user_stats, stat_pkts_wrong_interlace_dropped);
     return -EINVAL;
   }
@@ -149,9 +169,17 @@ static int rx_ancillary_session_handle_pkt(struct mtl_main_impl* impl,
   if ((mt_seq32_greater(s->tmstamp, tmstamp)) ||
       !mt_seq16_greater(seq_id, s->session_seq_id)) {
     if (!mt_seq16_greater(seq_id, s->session_seq_id)) {
+#ifdef MTL_ENABLE_FUZZING_ST40
+      ST40_FUZZ_LOG("%s(%d,%d), redundant seq %u last %d\n", __func__, s->idx, s_port,
+                    seq_id, s->session_seq_id);
+#endif
       dbg("%s(%d,%d), redundant seq now %u session last %d\n", __func__, s->idx, s_port,
           seq_id, s->session_seq_id);
     } else {
+#ifdef MTL_ENABLE_FUZZING_ST40
+      ST40_FUZZ_LOG("%s(%d,%d), redundant ts %u last %ld\n", __func__, s->idx, s_port,
+                    tmstamp, s->tmstamp);
+#endif
       dbg("%s(%d,%d), redundant tmstamp now %u session last %ld\n", __func__, s->idx,
           s_port, tmstamp, s->tmstamp);
     }
@@ -188,6 +216,10 @@ static int rx_ancillary_session_handle_pkt(struct mtl_main_impl* impl,
   if (ret < 0) {
     err("%s(%d), can not enqueue to the rte ring, packet drop, pkt seq %d\n", __func__,
         s->idx, seq_id);
+#ifdef MTL_ENABLE_FUZZING_ST40
+    ST40_FUZZ_LOG("%s(%d,%d), enqueue failure for seq %u len %u\n", __func__, s->idx,
+                  s_port, seq_id, pkt_len);
+#endif
     ST_SESSION_STAT_INC(s, port_user_stats, stat_pkts_enqueue_fail);
     MT_USDT_ST40_RX_MBUF_ENQUEUE_FAIL(s->mgr->idx, s->idx, mbuf, tmstamp);
     return 0;
@@ -213,9 +245,51 @@ static int rx_ancillary_session_handle_pkt(struct mtl_main_impl* impl,
   }
 
   MT_USDT_ST40_RX_MBUF_AVAILABLE(s->mgr->idx, s->idx, mbuf, tmstamp, pkt_len);
+#ifdef MTL_ENABLE_FUZZING_ST40
+  info("%s(%d,%d), fuzz enqueued seq %u len %u\n", __func__, s->idx, s_port, seq_id,
+       pkt_len);
+#endif
   return 0;
 }
 
+#ifdef MTL_ENABLE_FUZZING_ST40
+int st_rx_ancillary_session_fuzz_handle_pkt(struct mtl_main_impl* impl,
+                                            struct st_rx_ancillary_session_impl* s,
+                                            struct rte_mbuf* mbuf,
+                                            enum mtl_session_port s_port) {
+  return rx_ancillary_session_handle_pkt(impl, s, mbuf, s_port);
+}
+
+void st_rx_ancillary_session_fuzz_reset(struct st_rx_ancillary_session_impl* s) {
+  if (!s) return;
+
+  s->session_seq_id = -1;
+  s->tmstamp = -1;
+  s->stat_pkts_dropped = 0;
+  s->stat_pkts_redundant = 0;
+  s->stat_pkts_out_of_order = 0;
+  s->stat_pkts_enqueue_fail = 0;
+  s->stat_pkts_wrong_pt_dropped = 0;
+  s->stat_pkts_wrong_ssrc_dropped = 0;
+  s->stat_pkts_received = 0;
+  s->stat_last_time = 0;
+  s->stat_max_notify_rtp_us = 0;
+  s->stat_interlace_first_field = 0;
+  s->stat_interlace_second_field = 0;
+  s->stat_pkts_wrong_interlace_dropped = 0;
+  rte_atomic32_set(&s->stat_frames_received, 0);
+  mt_stat_u64_init(&s->stat_time);
+  memset(&s->port_user_stats, 0, sizeof(s->port_user_stats));
+  memset(s->stat_pkts_out_of_order_per_port, 0,
+         sizeof(s->stat_pkts_out_of_order_per_port));
+
+  for (int i = 0; i < MTL_SESSION_PORT_MAX; i++) {
+    s->latest_seq_id[i] = -1;
+    s->redundant_error_cnt[i] = 0;
+  }
+}
+#endif
+
 static int rx_ancillary_session_handle_mbuf(void* priv, struct rte_mbuf** mbuf,
                                             uint16_t nb) {
   struct st_rx_session_priv* s_priv = priv;

lib/src/st2110/st_rx_ancillary_session.h

@@ -11,6 +11,14 @@
 
 #define ST_RX_ANCILLARY_PREFIX "RC_"
 
+#ifdef MTL_ENABLE_FUZZING_ST40
+int st_rx_ancillary_session_fuzz_handle_pkt(struct mtl_main_impl* impl,
+                                            struct st_rx_ancillary_session_impl* s,
+                                            struct rte_mbuf* mbuf,
+                                            enum mtl_session_port s_port);
+void st_rx_ancillary_session_fuzz_reset(struct st_rx_ancillary_session_impl* s);
+#endif
+
 int st_rx_ancillary_sessions_sch_uinit(struct mtl_sch_impl* sch);
 
 #endif