Add beacon state unmarshal fuzzer, afl support (prysmaticlabs#6625)

* Add AFL third_party libraries

* add beacon state fuzzing, add afl fuzz bundle

* rm fuzzing engine

* fix and lint

* Check for array out of bounds when calculating proposer delta

* failing test

* fix

* Checkpoint progress

* Add requirement that inclusion distance is not zero, add regression test

* No need for HTR since that is covered in process slots

* Removing some fuzzit logic, old fuzz tests

* Add ssz encoder test and fix

* Fuzzing checkpoint, adding fuzzing to the p2p layer

* ignore some libfuzzer files

* Full testing of p2p processing of blocks, with some mocked stuff

* use tmpdir and always process blocks

* use checkptr

* Update ethereumapis

* go mod tidy

* benchmarks for ferran's fast ssz hash tree root

* Update fastssz

* fmt

* gaz

* goimports

* Fix

* fix ethereumapis

* fix again

* kafka

* fix gen file

* fix compute signing root

* gofmt

* checkpoint progress

* progress

* checkpoint

* updates

* updates

* merge fix

* WIP

* merge

* fix build

* fix merge related issues

* cleanup

* revert unrelated

* lint

* lint

* lint

* manual tags for fuzz

* Commentary on upload script

* some import fixes, but not all

* fix //fuzz:fuzz_tests

* rm unused test

* update generated ssz

* Set // +build libfuzzer

* remove debug code

* A bit of refactoring ot explain why there is a committee_disabled file

Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com>

Author: prestonvanloon

.bazelrc

@@ -69,18 +69,12 @@ build:fuzz --copt=-fno-omit-frame-pointer
 build:fuzz --define=FUZZING_ENGINE=libfuzzer
 build:fuzz --copt=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 build:fuzz --linkopt -Wl,--no-as-needed
-build:fuzz --define=gc_goopts=-d=libfuzzer
+build:fuzz --define=gc_goopts=-d=libfuzzer,checkptr
 build:fuzz --run_under=//tools:fuzz_wrapper
 build:fuzz --compilation_mode=opt
 
 test:fuzz --local_test_jobs="HOST_CPUS*.5"
 
-test:fuzzit --config=fuzz
-test:fuzzit --test_env=FUZZIT_API_KEY
-test:fuzzit --test_env=PRYSM_BUILD_IMAGE=gcr.io/prysmaticlabs/prysm-fuzzit:v0.11.0
-test:fuzzit --test_timeout=1200
-test:fuzzit --run_under=//tools:fuzzit_wrapper
-
 # Build binary with cgo symbolizer for debugging / profiling.
 build:cgo_symbolizer --config=llvm
 build:cgo_symbolizer --copt=-g

.gitignore

@@ -29,3 +29,7 @@ password.txt
 
 # Dist files
 dist
+
+# libfuzzer
+oom-*
+crash-*

beacon-chain/blockchain/BUILD.bazel

@@ -20,7 +20,10 @@ go_library(
         "service.go",
     ],
     importpath = "github.com/prysmaticlabs/prysm/beacon-chain/blockchain",
-    visibility = ["//beacon-chain:__subpackages__"],
+    visibility = [
+        "//beacon-chain:__subpackages__",
+        "//fuzz:__pkg__",
+    ],
     deps = [
         "//beacon-chain/cache:go_default_library",
         "//beacon-chain/cache/depositcache:go_default_library",

beacon-chain/cache/BUILD.bazel

@@ -6,14 +6,21 @@ go_library(
     srcs = [
         "attestation_data.go",
         "checkpoint_state.go",
-        "committee.go",
+        "committees.go",
         "common.go",
         "doc.go",
         "hot_state_cache.go",
         "skip_slot_cache.go",
         "state_summary.go",
         "subnet_ids.go",
-    ],
+    ] + select({
+        "//fuzz:fuzzing_enabled": [
+            "committee_disabled.go",
+        ],
+        "//conditions:default": [
+            "committee.go",
+        ],
+    }),
     importpath = "github.com/prysmaticlabs/prysm/beacon-chain/cache",
     visibility = [
         "//beacon-chain:__subpackages__",

beacon-chain/cache/committee.go

@@ -1,3 +1,5 @@
+// -build libfuzzer
+
 package cache
 
 import (
@@ -12,10 +14,6 @@ import (
 )
 
 var (
-	// ErrNotCommittee will be returned when a cache object is not a pointer to
-	// a Committee struct.
-	ErrNotCommittee = errors.New("object is not a committee struct")
-
 	// maxCommitteesCacheSize defines the max number of shuffled committees on per randao basis can cache.
 	// Due to reorgs and long finality, it's good to keep the old cache around for quickly switch over.
 	maxCommitteesCacheSize = uint64(32)
@@ -32,15 +30,6 @@ var (
 	})
 )
 
-// Committees defines the shuffled committees seed.
-type Committees struct {
-	CommitteeCount  uint64
-	Seed            [32]byte
-	ShuffledIndices []uint64
-	SortedIndices   []uint64
-	ProposerIndices []uint64
-}
-
 // CommitteeCache is a struct with 1 queue for looking up shuffled indices list by seed.
 type CommitteeCache struct {
 	CommitteeCache *cache.FIFO
@@ -216,6 +205,12 @@ func (c *CommitteeCache) ProposerIndices(seed [32]byte) ([]uint64, error) {
 	return item.ProposerIndices, nil
 }
 
+// HasEntry returns true if the committee cache has a value.
+func (c *CommitteeCache) HasEntry(seed string) bool {
+	_, ok, err := c.CommitteeCache.GetByKey(seed)
+	return err == nil && ok
+}
+
 func startEndIndices(c *Committees, index uint64) (uint64, uint64) {
 	validatorCount := uint64(len(c.ShuffledIndices))
 	start := sliceutil.SplitOffset(validatorCount, c.CommitteeCount, index)

beacon-chain/cache/committee_disabled.go

@@ -0,0 +1,50 @@
+// +build libfuzzer
+
+// This file is used in fuzzer builds to bypass global committee caches.
+package cache
+
+// FakeCommitteeCache is a struct with 1 queue for looking up shuffled indices list by seed.
+type FakeCommitteeCache struct {
+}
+
+// NewCommitteesCache creates a new committee cache for storing/accessing shuffled indices of a committee.
+func NewCommitteesCache() *FakeCommitteeCache {
+	return &FakeCommitteeCache{}
+}
+
+// Committee fetches the shuffled indices by slot and committee index. Every list of indices
+// represent one committee. Returns true if the list exists with slot and committee index. Otherwise returns false, nil.
+func (c *FakeCommitteeCache) Committee(slot uint64, seed [32]byte, index uint64) ([]uint64, error) {
+	return nil, nil
+}
+
+// AddCommitteeShuffledList adds Committee shuffled list object to the cache. T
+// his method also trims the least recently list if the cache size has ready the max cache size limit.
+func (c *FakeCommitteeCache) AddCommitteeShuffledList(committees *Committees) error {
+	return nil
+}
+
+// AddProposerIndicesList updates the committee shuffled list with proposer indices.
+func (c *FakeCommitteeCache) AddProposerIndicesList(seed [32]byte, indices []uint64) error {
+	return nil
+}
+
+// ActiveIndices returns the active indices of a given seed stored in cache.
+func (c *FakeCommitteeCache) ActiveIndices(seed [32]byte) ([]uint64, error) {
+	return nil, nil
+}
+
+// ActiveIndicesCount returns the active indices count of a given seed stored in cache.
+func (c *FakeCommitteeCache) ActiveIndicesCount(seed [32]byte) (int, error) {
+	return 0, nil
+}
+
+// ProposerIndices returns the proposer indices of a given seed.
+func (c *FakeCommitteeCache) ProposerIndices(seed [32]byte) ([]uint64, error) {
+	return nil, nil
+}
+
+// HasEntry returns true if the committee cache has a value.
+func (c *FakeCommitteeCache) HasEntry(string) bool {
+	return false
+}

beacon-chain/cache/committees.go

@@ -0,0 +1,16 @@
+package cache
+
+import "errors"
+
+// ErrNotCommittee will be returned when a cache object is not a pointer to
+// a Committee struct.
+var ErrNotCommittee = errors.New("object is not a committee struct")
+
+// Committees defines the shuffled committees seed.
+type Committees struct {
+	CommitteeCount  uint64
+	Seed            [32]byte
+	ShuffledIndices []uint64
+	SortedIndices   []uint64
+	ProposerIndices []uint64
+}

beacon-chain/core/helpers/BUILD.bazel

@@ -18,12 +18,13 @@ go_library(
     visibility = [
         "//beacon-chain:__subpackages__",
         "//endtoend/evaluators:__pkg__",
+        "//fuzz:__pkg__",
+        "//shared/attestationutil:__pkg__",
         "//shared/benchutil/benchmark_files:__subpackages__",
+        "//shared/depositutil:__pkg__",
         "//shared/interop:__pkg__",
         "//shared/keystore:__pkg__",
-        "//shared/depositutil:__pkg__",
         "//shared/p2putils:__pkg__",
-        "//shared/attestationutil:__pkg__",
         "//shared/testutil:__pkg__",
         "//slasher:__subpackages__",
         "//tools:__subpackages__",

beacon-chain/core/helpers/committee.go

@@ -312,7 +312,8 @@ func UpdateCommitteeCache(state *stateTrie.BeaconState, epoch uint64) error {
 		if err != nil {
 			return err
 		}
-		if _, exists, err := committeeCache.CommitteeCache.GetByKey(string(seed[:])); err == nil && exists {
+
+		if committeeCache.HasEntry(string(seed[:])) {
 			return nil
 		}
 

beacon-chain/db/BUILD.bazel

@@ -23,6 +23,7 @@ go_library(
     importpath = "github.com/prysmaticlabs/prysm/beacon-chain/db",
     visibility = [
         "//beacon-chain:__subpackages__",
+        "//fuzz:__pkg__",
         "//tools:__subpackages__",
     ],
     deps = [

beacon-chain/forkchoice/protoarray/BUILD.bazel

@@ -14,7 +14,10 @@ go_library(
         "types.go",
     ],
     importpath = "github.com/prysmaticlabs/prysm/beacon-chain/forkchoice/protoarray",
-    visibility = ["//beacon-chain:__subpackages__"],
+    visibility = [
+        "//beacon-chain:__subpackages__",
+        "//fuzz:__pkg__",
+    ],
     deps = [
         "//shared/params:go_default_library",
         "@com_github_pkg_errors//:go_default_library",

beacon-chain/operations/attestations/BUILD.bazel

@@ -12,7 +12,10 @@ go_library(
         "service.go",
     ],
     importpath = "github.com/prysmaticlabs/prysm/beacon-chain/operations/attestations",
-    visibility = ["//beacon-chain:__subpackages__"],
+    visibility = [
+        "//beacon-chain:__subpackages__",
+        "//fuzz:__pkg__",
+    ],
     deps = [
         "//beacon-chain/operations/attestations/kv:go_default_library",
         "//beacon-chain/state:go_default_library",

beacon-chain/operations/slashings/BUILD.bazel

@@ -11,7 +11,10 @@ go_library(
         "types.go",
     ],
     importpath = "github.com/prysmaticlabs/prysm/beacon-chain/operations/slashings",
-    visibility = ["//beacon-chain:__subpackages__"],
+    visibility = [
+        "//beacon-chain:__subpackages__",
+        "//fuzz:__pkg__",
+    ],
     deps = [
         "//beacon-chain/core/blocks:go_default_library",
         "//beacon-chain/core/helpers:go_default_library",

beacon-chain/operations/voluntaryexits/BUILD.bazel

@@ -8,7 +8,10 @@ go_library(
         "service.go",
     ],
     importpath = "github.com/prysmaticlabs/prysm/beacon-chain/operations/voluntaryexits",
-    visibility = ["//beacon-chain:__subpackages__"],
+    visibility = [
+        "//beacon-chain:__subpackages__",
+        "//fuzz:__pkg__",
+    ],
     deps = [
         "//beacon-chain/core/helpers:go_default_library",
         "//beacon-chain/state:go_default_library",

beacon-chain/p2p/encoder/BUILD.bazel

@@ -12,6 +12,7 @@ go_library(
     importpath = "github.com/prysmaticlabs/prysm/beacon-chain/p2p/encoder",
     visibility = [
         "//beacon-chain:__subpackages__",
+        "//fuzz:__pkg__",
     ],
     deps = [
         "//shared/params:go_default_library",

beacon-chain/p2p/testing/BUILD.bazel

@@ -4,13 +4,17 @@ go_library(
     name = "go_default_library",
     testonly = True,
     srcs = [
+        "fuzz_p2p.go",
         "mock_broadcaster.go",
         "mock_peermanager.go",
         "mock_peersprovider.go",
         "p2p.go",
     ],
     importpath = "github.com/prysmaticlabs/prysm/beacon-chain/p2p/testing",
-    visibility = ["//beacon-chain:__subpackages__"],
+    visibility = [
+        "//beacon-chain:__subpackages__",
+        "//fuzz:__pkg__",
+    ],
     deps = [
         "//beacon-chain/p2p/encoder:go_default_library",
         "//beacon-chain/p2p/peers:go_default_library",