add new fuzzer + google oss-fuzz integration files (#8534)

This commit introduces a new fuzzer crate that hosts fuzz tests for aptos-core.

The first version of the fuzzer includes these fuzz tests:
- Move Bytecode Verifier CodeUnit and Mixed modules
- Move execute entry function
- Move MoveValue decorate/undecorate
- Move MoveValue deserialize
- Move Value deserialize
- Signed Transaction deserialize

Cargo.toml

@@ -148,6 +148,8 @@ members = [
     "testsuite/dos/sender",
     "testsuite/forge",
     "testsuite/forge-cli",
+    "testsuite/fuzzer",
+    "testsuite/fuzzer/fuzz",
     "testsuite/generate-format",
     "testsuite/module-publish",
     "testsuite/smoke-test",
@@ -284,6 +286,7 @@ aptos-fallible = { path = "crates/fallible" }
 aptos-forge = { path = "testsuite/forge" }
 aptos-framework = { path = "aptos-move/framework" }
 aptos-fuzzer = { path = "testsuite/aptos-fuzzer" }
+fuzzer = { path = "testsuite/fuzzer" }
 aptos-gas = { path = "aptos-move/aptos-gas" }
 aptos-gas-algebra-ext = { path = "aptos-move/gas-algebra-ext" }
 aptos-gas-profiling = { path = "aptos-move/aptos-gas-profiling" }

testsuite/fuzzer/Cargo.toml

@@ -0,0 +1,7 @@
+[package]
+name = "fuzzer"
+version = "0.1.0"
+edition = "2021"
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]

testsuite/fuzzer/fuzz/.gitignore

@@ -0,0 +1,4 @@
+target
+corpus
+artifacts
+coverage

testsuite/fuzzer/fuzz/Cargo.toml

@@ -0,0 +1,64 @@
+[package]
+name = "fuzzer-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+aptos-consensus = { workspace = true, features = ["fuzzing"] }
+aptos-consensus-types = { workspace = true, features = ["fuzzing"] }
+aptos-types = { workspace = true }
+arbitrary = "1.3.0"
+bcs = { workspace = true }
+libfuzzer-sys = "0.4"
+move-binary-format = { workspace = true, features = ["fuzzing"] }
+move-bytecode-verifier = { workspace = true }
+move-core-types = { workspace = true, features = ["fuzzing"] }
+move-vm-runtime = { workspace = true }
+move-vm-test-utils = { workspace = true }
+move-vm-types = { workspace = true, features = ["fuzzing"] }
+
+[[bin]]
+name = "move_bytecode_verifier_code_unit"
+path = "fuzz_targets/move/bytecode_verifier_code_unit.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "move_bytecode_verifier_mixed"
+path = "fuzz_targets/move/bytecode_verifier_mixed.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "move_value_deserialize"
+path = "fuzz_targets/move/value_deserialize.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "move_move_value_deserialize"
+path = "fuzz_targets/move/move_value_deserialize.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "move_move_value_decorate"
+path = "fuzz_targets/move/move_value_decorate.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "move_execute_entry_function"
+path = "fuzz_targets/move/execute_entry_function.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "signed_transaction_deserialize"
+path = "fuzz_targets/signed_transaction_deserialize.rs"
+test = false
+doc = false

testsuite/fuzzer/fuzz/fuzz_targets/move/bytecode_verifier_code_unit.rs

@@ -0,0 +1,82 @@
+// Copyright (c) The Move Contributors
+// Copyright © Aptos Foundation
+// SPDX-License-Identifier: Apache-2.0
+
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+use move_binary_format::file_format::{
+    empty_module, AbilitySet, CodeUnit, Constant, FieldDefinition, FunctionDefinition,
+    FunctionHandle, FunctionHandleIndex, IdentifierIndex, ModuleHandleIndex, Signature,
+    SignatureIndex,
+    SignatureToken::{Address, Bool, U128, U64},
+    StructDefinition, StructFieldInformation, StructHandle, StructHandleIndex, TypeSignature,
+    Visibility,
+};
+use move_core_types::{account_address::AccountAddress, ident_str};
+
+fuzz_target!(|code_unit: CodeUnit| {
+    let mut module = empty_module();
+    module.version = 5;
+
+    module.struct_handles.push(StructHandle {
+        module: ModuleHandleIndex(0),
+        name: IdentifierIndex(1),
+        abilities: AbilitySet::ALL,
+        type_parameters: vec![],
+    });
+
+    let fun_handle = FunctionHandle {
+        module: ModuleHandleIndex(0),
+        name: IdentifierIndex(2),
+        parameters: SignatureIndex(0),
+        return_: SignatureIndex(1),
+        type_parameters: vec![],
+    };
+
+    module.function_handles.push(fun_handle);
+
+    module.signatures.pop();
+    module.signatures.push(Signature(vec![
+        Address, U64, Address, Address, U128, Address, U64, U64, U64,
+    ]));
+    module.signatures.push(Signature(vec![]));
+    module
+        .signatures
+        .push(Signature(vec![Address, Bool, Address]));
+
+    module.identifiers.extend(
+        vec![
+            ident_str!("zf_hello_world").into(),
+            ident_str!("awldFnU18mlDKQfh6qNfBGx8X").into(),
+            ident_str!("aQPwJNHyAHpvJ").into(),
+            ident_str!("aT7ZphKTrKcYCwCebJySrmrKlckmnL5").into(),
+            ident_str!("arYpsFa2fvrpPJ").into(),
+        ]
+        .into_iter(),
+    );
+    module.address_identifiers.push(AccountAddress::random());
+
+    module.constant_pool.push(Constant {
+        type_: Address,
+        data: AccountAddress::ZERO.into_bytes().to_vec(),
+    });
+
+    module.struct_defs.push(StructDefinition {
+        struct_handle: StructHandleIndex(0),
+        field_information: StructFieldInformation::Declared(vec![FieldDefinition {
+            name: IdentifierIndex::new(3),
+            signature: TypeSignature(Address),
+        }]),
+    });
+
+    let fun_def = FunctionDefinition {
+        code: Some(code_unit),
+        function: FunctionHandleIndex(0),
+        visibility: Visibility::Public,
+        is_entry: false,
+        acquires_global_resources: vec![],
+    };
+
+    module.function_defs.push(fun_def);
+    let _ = move_bytecode_verifier::verify_module(&module);
+});