From 3ee1edde2f87c093304fc49e1f4633d0d4a8a464 Mon Sep 17 00:00:00 2001
From: Sabaun Taraki <taraki.sabaun.rl@gmail.com>
Date: Mon, 9 Oct 2023 23:23:19 +0300
Subject: [PATCH] refactor(runtime-fuzzer): Change required size for gear calls
 data (#3386)

---
 docker/runtime-fuzzer/scripts/fuzzer.sh |  4 ++--
 scripts/check-fuzzer.sh                 |  7 ++++++-
 scripts/fuzzer_consts.sh                |  3 +++
 scripts/src/test.sh                     |  4 +++-
 utils/runtime-fuzzer/README.md          |  6 +++---
 utils/runtime-fuzzer/src/gear_calls.rs  | 20 ++++++++++++--------
 6 files changed, 29 insertions(+), 15 deletions(-)
 create mode 100644 scripts/fuzzer_consts.sh

diff --git a/docker/runtime-fuzzer/scripts/fuzzer.sh b/docker/runtime-fuzzer/scripts/fuzzer.sh
index eab3c634910..0cab977828a 100755
--- a/docker/runtime-fuzzer/scripts/fuzzer.sh
+++ b/docker/runtime-fuzzer/scripts/fuzzer.sh
@@ -70,7 +70,7 @@ function start_container_post {
 		rustup component add llvm-tools-preview && \
 		rustup component add --toolchain nightly llvm-tools-preview && \
 		cargo fuzz coverage --release --sanitizer=none main /corpus/main -- \
-        -rss_limit_mb=8192 -max_len=35000000 -len_control=0 && \
+        -rss_limit_mb=8192 -max_len=20000000 -len_control=0 && \
 		cargo cov -- show target/x86_64-unknown-linux-gnu/coverage/x86_64-unknown-linux-gnu/release/main \
         --format=text \
         --show-line-counts \
@@ -90,7 +90,7 @@ function start_container_post {
     # Clear folder with corpus
     rm -rf $WORK_DIR/corpus/*
     # Generate new first seed
-    dd if=/dev/urandom of=$WORK_DIR/corpus/first-seed bs=1 count=27000000
+    dd if=/dev/urandom of=$WORK_DIR/corpus/first-seed bs=1 count=16000000
 }
 
 # Function to start the container and wait for it to stop
diff --git a/scripts/check-fuzzer.sh b/scripts/check-fuzzer.sh
index fff3839e853..addd2e98bc3 100755
--- a/scripts/check-fuzzer.sh
+++ b/scripts/check-fuzzer.sh
@@ -1,11 +1,16 @@
 #!/usr/bin/env sh
 
+SELF="$0"
+SCRIPTS="$(cd "$(dirname "$SELF")"/ && pwd)"
+
+. "$SCRIPTS"/fuzzer_consts.sh
+
 main() {
     echo " >> Getting random bytes from /dev/urandom"
     # Fuzzer expects a minimal input size of 25 MiB. Without providing a corpus of the same or larger
     # size fuzzer will stuck for a long time with trying to test the target using 0..100 bytes.
     mkdir -p utils/runtime-fuzzer/fuzz/corpus/main
-    dd if=/dev/urandom of=utils/runtime-fuzzer/fuzz/corpus/main/check-fuzzer-bytes bs=1 count=27000000
+    dd if=/dev/urandom of=utils/runtime-fuzzer/fuzz/corpus/main/check-fuzzer-bytes bs=1 count="$INITIAL_INPUT_SIZE"
 
     echo " >> Running fuzzer with failpoint"
     RUST_BACKTRACE=1 FAILPOINTS=fail_fuzzer=return ./scripts/gear.sh test fuzz "" wlogs > fuzz_run 2>&1
diff --git a/scripts/fuzzer_consts.sh b/scripts/fuzzer_consts.sh
new file mode 100644
index 00000000000..d0374aefb1a
--- /dev/null
+++ b/scripts/fuzzer_consts.sh
@@ -0,0 +1,3 @@
+INITIAL_INPUT_SIZE=${INITIAL_INPUT_SIZE:-'16000000'}
+MAX_LEN=${MAX_LEN:-'20000000'}
+RSS_LIMIT_MB=${RSS_LIMIT_MB:-'8192'}
diff --git a/scripts/src/test.sh b/scripts/src/test.sh
index a48ba352dbb..fbb0d801029 100755
--- a/scripts/src/test.sh
+++ b/scripts/src/test.sh
@@ -82,6 +82,8 @@ validators() {
 }
 
 run_fuzzer() {
+  . $(dirname "$SELF")/fuzzer_consts.sh
+
   ROOT_DIR="$1"
   CORPUS_DIR="$2"
   # Navigate to fuzzer dir
@@ -94,7 +96,7 @@ run_fuzzer() {
   fi
 
   # Run fuzzer
-  RUST_LOG="$LOG_TARGETS" cargo fuzz run --release --sanitizer=none main $CORPUS_DIR -- -rss_limit_mb=8192 -max_len=35000000 -len_control=0
+  RUST_LOG="$LOG_TARGETS" cargo fuzz run --release --sanitizer=none main $CORPUS_DIR -- -rss_limit_mb=$RSS_LIMIT_MB -max_len=$MAX_LEN -len_control=0
 }
 
 test_fuzzer_reproduction() {
diff --git a/utils/runtime-fuzzer/README.md b/utils/runtime-fuzzer/README.md
index 3f718836b53..107d3b62183 100644
--- a/utils/runtime-fuzzer/README.md
+++ b/utils/runtime-fuzzer/README.md
@@ -19,7 +19,7 @@ cd utils/runtime-fuzzer
 # Fuzzer expects a minimal input size of 25 MiB. Without providing a corpus of the same or larger
 # size fuzzer will stuck for a long time with trying to test the target using 0..100 bytes.
 mkdir -p fuzz/corpus/main
-dd if=/dev/urandom of=fuzz/corpus/main/fuzzer-seed-corpus bs=1 count=27000000
+dd if=/dev/urandom of=fuzz/corpus/main/fuzzer-seed-corpus bs=1 count=16000000
 
 # Run fuzzer for at least 20 minutes and then press Ctrl-C to stop fuzzing.
 # You can also remove RUST_LOG to avoid printing tons of logs on terminal.
@@ -31,7 +31,7 @@ cargo fuzz run \
     fuzz/corpus/main \
     -- \
         -rss_limit_mb=8192 \
-        -max_len=35000000 \
+        -max_len=20000000 \
         -len_control=0
 
 # Get coverage
@@ -42,7 +42,7 @@ cargo fuzz coverage \
     fuzz/corpus/main \
     -- \
         -rss_limit_mb=8192 \
-        -max_len=35000000 \
+        -max_len=20000000 \
         -len_control=0
 ```
 
diff --git a/utils/runtime-fuzzer/src/gear_calls.rs b/utils/runtime-fuzzer/src/gear_calls.rs
index 28799831d63..5ec2c255dc4 100644
--- a/utils/runtime-fuzzer/src/gear_calls.rs
+++ b/utils/runtime-fuzzer/src/gear_calls.rs
@@ -38,6 +38,7 @@ use gear_wasm_gen::{
     EntryPointsSet, InvocableSysCall, ParamType, StandardGearWasmConfigsBundle, SysCallName,
     SysCallsInjectionTypes, SysCallsParamsConfig,
 };
+use std::mem;
 
 /// Maximum payload size for the fuzzer - 512 KiB.
 const MAX_PAYLOAD_SIZE: usize = 512 * 1024;
@@ -51,6 +52,13 @@ static_assertions::const_assert!(MAX_PAYLOAD_SIZE <= gear_core::message::MAX_PAY
 const MAX_SALT_SIZE: usize = 512;
 static_assertions::const_assert!(MAX_SALT_SIZE <= gear_core::message::MAX_PAYLOAD_SIZE);
 
+const ID_SIZE: usize = mem::size_of::<ProgramId>();
+const GAS_AND_VALUE_SIZE: usize = mem::size_of::<(u64, u128)>();
+// Used to make sure that generators will not exceed `Unstructured` size as it's used not only
+// to generate things like wasm code or message payload but also to generate some auxiliary
+// data, for example index in some vec.
+const AUXILIARY_SIZE: usize = 512;
+
 /// This trait provides ability for [`ExtrinsicGenerator`]s to fetch messages
 /// from mailbox, for example [`UploadProgramGenerator`] and
 /// [`ClaimValueGenerator`] use it.
@@ -248,9 +256,8 @@ impl UploadProgramGenerator {
     const fn unstructured_size_hint(&self) -> usize {
         // Max code size - 50 KiB.
         const MAX_CODE_SIZE: usize = 50 * 1024;
-        const AUXILIARY_SIZE: usize = 512;
 
-        MAX_CODE_SIZE + MAX_PAYLOAD_SIZE + MAX_SALT_SIZE + AUXILIARY_SIZE
+        MAX_CODE_SIZE + MAX_SALT_SIZE + MAX_PAYLOAD_SIZE + GAS_AND_VALUE_SIZE + AUXILIARY_SIZE
     }
 }
 
@@ -289,8 +296,7 @@ impl SendMessageGenerator {
     }
 
     const fn unstructured_size_hint(&self) -> usize {
-        // 512 KiB for payload.
-        520 * 1024
+        ID_SIZE + MAX_PAYLOAD_SIZE + GAS_AND_VALUE_SIZE + AUXILIARY_SIZE
     }
 }
 
@@ -336,8 +342,7 @@ impl SendReplyGenerator {
     }
 
     const fn unstructured_size_hint(&self) -> usize {
-        // 512 KiB for payload.
-        520 * 1024
+        ID_SIZE + MAX_PAYLOAD_SIZE + GAS_AND_VALUE_SIZE + AUXILIARY_SIZE
     }
 }
 
@@ -361,8 +366,7 @@ impl ClaimValueGenerator {
     }
 
     const fn unstructured_size_hint(&self) -> usize {
-        // 32 bytes for message id.
-        100
+        ID_SIZE + AUXILIARY_SIZE
     }
 }