ckb-vm icon indicating copy to clipboard operation
ckb-vm copied to clipboard

Published 20 hours ago verified publisher icon nervosnetwork

Fuzz question

Open Subway2023 opened this issue 7 months ago • 6 comments

May I ask what exactly the input( |data: &[u8]| ) refers to? Why is it valid to compare the results of run_asm and run_int in differential testing?

fuzz_target!(|data: &[u8]| {
    let r0 = run_asm(data);
    let r1 = run_asm(data);
    let r2 = run_asm(data);
    let r3 = run_int(data);
    assert_eq!(r0, r1);
    assert_eq!(r1, r2);
    if r2.is_ok() {
        assert_eq!(r2.unwrap(), r3.unwrap());
    } else {
        assert!(r3.is_err())
    }
});

Subway2023 avatar May 02 '25 14:05 Subway2023

The input refers to random RISC-V binary code. It may be legal RISC-V binary code, but it may also be illegal.

We use run_asm and run_int to test this randomly generated "code" to ensure:

  • run_asm is deterministic.
  • When run_asm succeeds, run_int must also succeed.

There is no guarantee that the errors of run_asm and run_int are exactly the same.

mohanson avatar May 05 '25 11:05 mohanson

May I ask why run_asm is deterministic, but run_int is not deterministic? Has run_int applied some optimizations?

Subway2023 avatar May 09 '25 10:05 Subway2023

there is an error when building fuzz tool

root@subw3-117c:/mnt/riscv/ckb-vm-develop/fuzz# cargo build
   Compiling spike-sys v0.1.2
   Compiling serde v1.0.219
   Compiling derive_more v1.0.0
   Compiling libfuzzer-sys v0.4.9
error: could not find native static library `spike-interfaces`, perhaps an -L flag is missing?

error: could not compile `spike-sys` (lib) due to 1 previous error

Subway2023 avatar Jun 01 '25 04:06 Subway2023

I think executing the following command can solve your problem:

$ sudo apt install device-tree-compiler

If you still encounter problems, you can try to manually execute the build.sh file in the source

mohanson avatar Jun 01 '25 11:06 mohanson

The input for fuzzing is RISC-V binary code. Do you happen to have a differential testing tool that accepts RISC-V assembly code as input instead? This would make it easier to identify what kind of program triggers the bugs.

Subway2023 avatar Jun 01 '25 14:06 Subway2023

The input for fuzzing is RISC-V binary code. Do you happen to have a differential testing tool that accepts RISC-V assembly code as input instead? This would make it easier to identify what kind of program triggers the bugs.

We can compile riscv assembly code into binary code through assembly tools, which can be easily done through the tool riscv64-unknown-elf-as.

Usage: https://github.com/nervosnetwork/ckb-vm/blob/develop/tests/programs/_build_all_native.sh#L5

Source assembly code: https://github.com/nervosnetwork/ckb-vm/blob/develop/tests/programs/amo_check_write.S

mohanson avatar Jun 04 '25 07:06 mohanson