Merge pull request #421 from filecoin-project/fuzz/rle-fuzz

Add RLE fuzzing and fix two bugs:

- Don't panic when unsetting u64::MAX.
- Don't allow bitfields with trailing "zero" ranges.

Author: Stebalien

.clusterfuzzlite/build.sh

@@ -17,10 +17,11 @@
 
 cd "$SRC"
 
-declare -a PROJECTS=(amt hamt)
+declare -a PROJECTS=(amt hamt common)
 declare -A PROJECT_PATHS=(
 	[amt]="ref-fvm/ipld/amt/fuzz"
 	[hamt]="ref-fvm/ipld/hamt/fuzz"
+	[common]="ref-fvm/testing/common_fuzz/fuzz"
 )
 
 export CARGO_TARGET_DIR="$SRC/target"
@@ -34,9 +35,9 @@ for project in "${PROJECTS[@]}"; do
 
 	for f in fuzz_targets/*.rs; do
 		FUZZ_TARGET_NAME=$(basename "${f%.*}")
+		FUZZ_TARGET_LOC="$FUZZ_TARGET_OUTPUT_DIR/$FUZZ_TARGET_NAME"
 		FUZZ_OUT_NAME="${project}_${FUZZ_TARGET_NAME}"
-
-		cp "$FUZZ_TARGET_OUTPUT_DIR/$FUZZ_TARGET_NAME" "$OUT/$FUZZ_OUT_NAME"
+		[ -f "$FUZZ_TARGET_LOC" ] && cp "$FUZZ_TARGET_LOC" "$OUT/$FUZZ_OUT_NAME"
 	done
 
 	popd

ipld/amt/fuzz/Cargo.toml

@@ -9,8 +9,8 @@ edition = "2018"
 cargo-fuzz = true
 
 [dependencies]
-libfuzzer-sys = "0.3"
-arbitrary = { version = "0.4", features = ["derive"] }
+libfuzzer-sys = "0.4"
+arbitrary = { version = "1.1", features = ["derive"] }
 ahash = "0.7.6"
 itertools = "0.10.3"
 

ipld/bitfield/Cargo.toml

@@ -13,6 +13,7 @@ serde = { version = "1.0", features = ["derive"] }
 serde_bytes = { package = "cs_serde_bytes", version = "0.12" }
 fvm_shared = { version = "0.3.1", path = "../../shared" }
 thiserror = "1.0.30"
+arbitrary = { version = "1.1.0", optional = true}
 
 [dev-dependencies]
 rand_xorshift = "0.2.0"
@@ -22,6 +23,7 @@ serde_json = "1.0"
 
 [features]
 json = []
+enable-arbitrary = ["arbitrary"]
 
 [[bench]]
 name = "benchmarks"

ipld/bitfield/src/lib.rs

@@ -170,6 +170,9 @@ impl BitField {
 
     /// Removes the bit at a given index from the bit field.
     pub fn unset(&mut self, bit: u64) {
+        if bit == u64::MAX {
+            return;
+        }
         self.set.remove(&bit);
         self.unset.insert(bit);
     }

ipld/bitfield/src/rleplus/mod.rs

@@ -67,6 +67,8 @@ mod writer;
 
 use std::borrow::Cow;
 
+#[cfg(feature = "enable-arbitrary")]
+use arbitrary::{size_hint, Arbitrary, Unstructured};
 pub use error::Error;
 pub use reader::BitReader;
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
@@ -106,6 +108,48 @@ impl<'de> Deserialize<'de> for BitField {
         Self::from_bytes(&bytes).map_err(serde::de::Error::custom)
     }
 }
+#[cfg(feature = "enable-arbitrary")]
+impl<'a> Arbitrary<'a> for BitField {
+    fn arbitrary(u: &mut Unstructured<'a>) -> arbitrary::Result<Self> {
+        let mut next_value: bool = bool::arbitrary(u)?;
+        let mut ranges = Vec::new();
+        let mut index = 0u64;
+        let mut total_len: u64 = 0;
+
+        let size = u.arbitrary_len::<(u64, u8)>()?;
+
+        for _ in 0..size {
+            // 3 line crappy "power-law" distribution
+            let len = u64::arbitrary(u)?;
+            let shift = u.int_in_range(0..=63)?;
+            let len = (len & (u64::MAX >> shift)).saturating_add(1);
+
+            let (new_total_len, ovf) = total_len.overflowing_add(len);
+            if ovf {
+                break;
+            }
+            total_len = new_total_len;
+            let start = index;
+            index += len;
+            let end = index;
+
+            if next_value {
+                ranges.push(start..end);
+            }
+
+            next_value = !next_value;
+        }
+
+        Ok(Self {
+            ranges,
+            ..Default::default()
+        })
+    }
+
+    fn size_hint(depth: usize) -> (usize, Option<usize>) {
+        size_hint::and(<usize as Arbitrary>::size_hint(depth), (0, None))
+    }
+}
 
 impl BitField {
     /// Decodes RLE+ encoded bytes into a bit field.
@@ -139,6 +183,12 @@ impl BitField {
             next_value = !next_value;
         }
 
+        // next_value equal true means we just read a run of zeros
+        // which means that there is a trailing run of zeros
+        if next_value {
+            return Err(Error::NotMinimal);
+        }
+
         Ok(Self {
             ranges,
             ..Default::default()
@@ -184,10 +234,9 @@ mod tests {
     use rand::{Rng, SeedableRng};
     use rand_xorshift::XorShiftRng;
 
-    use crate::iter::Ranges;
-
     use super::super::{bitfield, ranges_from_bits};
     use super::{BitField, BitWriter, Error};
+    use crate::iter::Ranges;
 
     #[test]
     fn test() {
@@ -370,6 +419,45 @@ mod tests {
                 ],
                 Err(Error::NotMinimal),
             ),
+            // tailing runs of zeros
+            (
+                vec![
+                    0, 0, // version
+                    0, // starts with 0
+                    1, // run of one
+                ],
+                Err(Error::NotMinimal),
+            ),
+            (
+                vec![
+                    0, 0, // version
+                    0, // starts with 0
+                    0, 1, // fits into 4 bits
+                    0, 0, 1, 0,
+                ],
+                Err(Error::NotMinimal),
+            ),
+            (
+                vec![
+                    0, 0, // version
+                    1, // starts with 1
+                    0, 1, // fits into 4 bits
+                    0, 0, 1, 0, // 2
+                    1, // trailing run of zeros
+                ],
+                Err(Error::NotMinimal),
+            ),
+            (
+                vec![
+                    0, 0, // version
+                    0, // starts with 1
+                    1, //run of one
+                    0, 1, // fits into 4 bits
+                    0, 0, 1, 0, // 2
+                    0, 1, 0, 0, 1, 0, // 2 trailing zeros
+                ],
+                Err(Error::NotMinimal),
+            ),
         ]
         .into_iter()
         .enumerate()
@@ -421,6 +509,20 @@ mod tests {
         assert_eq!(2, last);
     }
 
+    #[test]
+    fn test_unset_max() {
+        // Create any bitfield
+        let ranges: Vec<u64> = vec![0, 1, 2, 3];
+        let iter = ranges_from_bits(ranges);
+        let mut bf = BitField::from_ranges(iter);
+
+        // Unset u64::MAX
+        bf.unset(u64::MAX);
+
+        let last = bf.ranges().last().unwrap();
+        assert_eq!(0..4, last);
+    }
+
     #[test]
     fn test_zero_last() {
         let mut bf = BitField::new();

ipld/bitfield/src/unvalidated.rs

@@ -6,9 +6,8 @@ use std::convert::TryFrom;
 use fvm_shared::encoding::serde_bytes;
 use serde::{Deserialize, Deserializer, Serialize};
 
-use crate::Error;
-
 use super::BitField;
+use crate::Error;
 
 /// A trait for types that can produce a `&BitField` (or fail to do so).
 /// Generalizes over `&BitField` and `&mut UnvalidatedBitField`.

ipld/hamt/fuzz/Cargo.toml

@@ -9,8 +9,8 @@ edition = "2018"
 cargo-fuzz = true
 
 [dependencies]
-libfuzzer-sys = "0.3"
-arbitrary = { version = "0.4", features = ["derive"] }
+libfuzzer-sys = "0.4"
+arbitrary = { version = "1.1", features = ["derive"] }
 ahash = "0.7.6"
 
 fvm_ipld_hamt = { path = ".." }

testing/common_fuzz/Cargo.toml

@@ -0,0 +1,11 @@
+[package]
+name = "common_fuzz"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[workspace]
+members = ["."]
+
+[dependencies]

testing/common_fuzz/fuzz/.gitignore

@@ -0,0 +1,5 @@
+
+target
+artifacts
+Cargo.lock
+/fuzz-*

testing/common_fuzz/fuzz/Cargo.toml

@@ -0,0 +1,43 @@
+[package]
+name = "common_fuzz"
+version = "0.0.0"
+authors = [ "Protocol Labs", "Filecoin Core Devs"]
+publish = false
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+arbitrary = { version = "1.1", features = ["derive"] }
+ahash = "0.7.6"
+itertools = "0.10.3"
+
+cid = { version = "0.8.2", default-features = false, features = ["serde-codec"] }
+
+fvm_ipld_bitfield = { path = "../../../ipld/bitfield", features = ["enable-arbitrary"] }
+#fvm_shared = { path = "../../../shared" }
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+
+[[bin]]
+name = "rle_ops"
+path = "fuzz_targets/rle_ops.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "rle_decode"
+path = "fuzz_targets/rle_decode.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "rle_encode"
+path = "fuzz_targets/rle_encode.rs"
+test = false
+doc = false