add fuzz corpus

.github/workflows/cflite_batch.yml

@@ -1,33 +1,48 @@
-name: ClusterFuzzLite batch fuzzing
+name: ClusterFuzzLite cron tasks
 on:
   workflow_dispatch:
+  push:
+    branches:
+      - develop # Use your actual default branch here.
   schedule:
     - cron: "0 8 * * 1" # At 08:00 on Monday.
 permissions: read-all
 jobs:
-  BatchFuzzing:
+  Fuzzing:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        sanitizer: [address, undefined, memory]
+        include:
+          - mode: batch
+            sanitizer: address
+          - mode: batch
+            sanitizer: undefined
+          - mode: batch
+            sanitizer: memory
+          - mode: prune
+            sanitizer: address
+          - mode: coverage
+            sanitizer: coverage
     steps:
-      - name: Build Fuzzers (${{ matrix.sanitizer }})
+      - name: Build Fuzzers (${{ matrix.mode }} - ${{ matrix.sanitizer }})
         id: build
         uses: google/clusterfuzzlite/actions/build_fuzzers@v1
         with:
-          language: c++
+          language: c # Change this to the language you are fuzzing.
+          github-token: ${{ secrets.GITHUB_TOKEN }}
           sanitizer: ${{ matrix.sanitizer }}
-      - name: Run Fuzzers (${{ matrix.sanitizer }})
+          storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/lightsail-network/app-stellar-fuzz-corpus
+          storage-repo-branch: main
+          storage-repo-branch-coverage: gh-pages
+      - name: Run Fuzzers (${{ matrix.mode }} - ${{ matrix.sanitizer }})
         id: run
         uses: google/clusterfuzzlite/actions/run_fuzzers@v1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          fuzz-seconds: 3600 # 1 hour
-          mode: "batch"
+          fuzz-seconds: 600 # 10 minutes
+          mode: ${{ matrix.mode }}
           sanitizer: ${{ matrix.sanitizer }}
-          # Optional but recommended: For storing certain artifacts from fuzzing.
-          # See later section on "Git repo for storage".
-          #storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/LedgerHQ/fuzzers-corpus.git
-          #storage-repo-branch: main   # Optional. Defaults to "main"
-          #storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+          storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/lightsail-network/app-stellar-fuzz-corpus
+          storage-repo-branch: main   # Optional. Defaults to "main"
+          storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".

.github/workflows/cflite_pr.yml

@@ -13,32 +13,27 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        sanitizer: [address, undefined, memory]
+        sanitizer: [address, undefined, memory] # Override this with the sanitizers you want.
     steps:
       - name: Build Fuzzers (${{ matrix.sanitizer }})
         id: build
         uses: google/clusterfuzzlite/actions/build_fuzzers@v1
         with:
-          language: c++
+          language: c # Change this to the language you are fuzzing.
           github-token: ${{ secrets.GITHUB_TOKEN }}
           sanitizer: ${{ matrix.sanitizer }}
-          # Optional but recommended: used to only run fuzzers that are affected
-          # by the PR.
-          # See later section on "Git repo for storage".
-          #storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/LedgerHQ/fuzzers-corpus.git
-          #storage-repo-branch: main   # Optional. Defaults to "main"
-          #storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+          storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/lightsail-network/app-stellar-fuzz-corpus
+          storage-repo-branch: main
+          storage-repo-branch-coverage: gh-pages
       - name: Run Fuzzers (${{ matrix.sanitizer }})
         id: run
         uses: google/clusterfuzzlite/actions/run_fuzzers@v1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          fuzz-seconds: 600 # 10 minutes
+          fuzz-seconds: 300 # 5 minutes
           mode: "code-change"
           sanitizer: ${{ matrix.sanitizer }}
-          # Optional but recommended: used to download the corpus produced by
-          # batch fuzzing.
-          # See later section on "Git repo for storage".
-          #storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/LedgerHQ/fuzzers-corpus.git
-          #storage-repo-branch: main   # Optional. Defaults to "main"
-          #storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+          output-sarif: true
+          storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/lightsail-network/app-stellar-fuzz-corpus
+          storage-repo-branch: main
+          storage-repo-branch-coverage: gh-pages

fuzz/CMakeLists.txt

@@ -19,6 +19,12 @@ if (NOT CMAKE_C_COMPILER_ID MATCHES "Clang")
     message(FATAL_ERROR "Fuzzer needs to be built with Clang")
 endif ()
 
+# Build with code coverage generation
+if(CODE_COVERAGE)
+    add_compile_options(-fprofile-instr-generate -fcoverage-mapping)
+    add_link_options(-fprofile-instr-generate -fcoverage-mapping)
+endif()
+
 include(CTest)
 ENABLE_TESTING()
 

fuzz/fuzz_tx.c

@@ -9,6 +9,17 @@
 #define DETAIL_CAPTION_MAX_LENGTH 21
 #define DETAIL_VALUE_MAX_LENGTH   105
 
+static bool plugin_check_presence(const uint8_t *contract_address);
+static stellar_plugin_result_t plugin_init_contract(const uint8_t *contract_address);
+static stellar_plugin_result_t plugin_query_data_pair_count(const uint8_t *contract_address,
+                                                            uint8_t *data_pair_count);
+static stellar_plugin_result_t plugin_query_data_pair(const uint8_t *contract_address,
+                                                      uint8_t data_pair_index,
+                                                      char *caption,
+                                                      uint8_t caption_len,
+                                                      char *value,
+                                                      uint8_t value_len);
+
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     envelope_t envelope;
     bool data_exists = true;
@@ -57,6 +68,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
             .caption_len = DETAIL_CAPTION_MAX_LENGTH,
             .value_len = DETAIL_VALUE_MAX_LENGTH,
             .display_sequence = true,
+            .plugin_check_presence = &plugin_check_presence,
+            .plugin_init_contract = &plugin_init_contract,
+            .plugin_query_data_pair_count = &plugin_query_data_pair_count,
+            .plugin_query_data_pair = &plugin_query_data_pair,
         };
 
         reset_formatter();
@@ -74,3 +89,56 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
     return 0;
 }
+
+static bool plugin_check_presence(const uint8_t *contract_address) {
+    uint8_t expected[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+    return memcmp(contract_address, expected, 32) == 0;
+}
+
+stellar_plugin_result_t plugin_init_contract(const uint8_t *contract_address) {
+    // Build-in token plugin
+    if (plugin_check_presence(contract_address)) {
+        return STELLAR_PLUGIN_RESULT_OK;
+    }
+    return STELLAR_PLUGIN_RESULT_UNAVAILABLE;
+}
+
+stellar_plugin_result_t plugin_query_data_pair_count(const uint8_t *contract_address,
+                                                     uint8_t *data_pair_count) {
+    // Build-in token plugin
+    if (plugin_check_presence(contract_address)) {
+        *data_pair_count = 3;
+        return STELLAR_PLUGIN_RESULT_OK;
+    }
+    return STELLAR_PLUGIN_RESULT_UNAVAILABLE;
+}
+
+stellar_plugin_result_t plugin_query_data_pair(const uint8_t *contract_address,
+                                               uint8_t data_pair_index,
+                                               char *caption,
+                                               uint8_t caption_len,
+                                               char *value,
+                                               uint8_t value_len) {
+    if (!plugin_check_presence(contract_address)) {
+        return STELLAR_PLUGIN_RESULT_UNAVAILABLE;
+    }
+    switch (data_pair_index) {
+        case 0:
+            strncpy(caption, "caption 0", caption_len);
+            strncpy(value, "value 0", value_len);
+            break;
+        case 1:
+            strncpy(caption, "caption 1", caption_len);
+            strncpy(value, "value 1", value_len);
+            break;
+        case 2:
+            strncpy(caption, "caption 2", caption_len);
+            strncpy(value, "value 2", value_len);
+            break;
+        default:
+            return STELLAR_PLUGIN_RESULT_ERROR;
+    }
+    return STELLAR_PLUGIN_RESULT_OK;
+}

fuzz/run.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+BUILDDIR="$SCRIPTDIR/cmake-build-fuzz-coverage"
+CORPUSDIR="$SCRIPTDIR/corpus"
+HTMLCOVDIR="$SCRIPTDIR/html-coverage"
+
+# Compile the fuzzer with code coverage support
+rm -rf "$BUILDDIR" "$HTMLCOVDIR"
+cmake -DBOLOS_SDK=/opt/ledger-secure-sdk -DCMAKE_C_COMPILER=clang -DCODE_COVERAGE=1 -B"$BUILDDIR" -H.
+cmake --build "$BUILDDIR" --target fuzz_tx
+
+# Run the fuzzer on the corpus files
+export LLVM_PROFILE_FILE="$BUILDDIR/fuzz_tx.%p.profraw"
+# "$BUILDDIR/fuzz_tx" "$CORPUSDIR"/*
+"$BUILDDIR/fuzz_tx" -rss_limit_mb=1024 -max_len=20000 -max_total_time=600 -print_final_stats=1 "$CORPUSDIR" -jobs=4 -workers=4
+llvm-profdata merge --sparse "$BUILDDIR"/fuzz_tx.*.profraw -o "$BUILDDIR/fuzz_tx.profdata"
+
+# Exclude lib_standard_app directory, base32 and base64 code from coverage report
+llvm-cov show "$BUILDDIR/fuzz_tx" -instr-profile="$BUILDDIR/fuzz_tx.profdata" -show-line-counts-or-regions -output-dir="$HTMLCOVDIR" -format=html -ignore-filename-regex="(.*lib_standard_app.*)|(.*libstellar/base64\.c.*)|(.*libstellar/base32\.c.*)"
+llvm-cov report "$BUILDDIR/fuzz_tx" -instr-profile="$BUILDDIR/fuzz_tx.profdata" -ignore-filename-regex="(.*lib_standard_app.*)|(.*libstellar/base64\.c.*)|(.*libstellar/base32\.c.*)"