feat(fuzz): AST fuzzer skeleton

Cargo.toml

@@ -13,6 +13,8 @@ members = [
     # Crates related to tooling built on top of the Noir compiler
     "tooling/lsp",
     "tooling/debugger",
+    "tooling/ast_fuzzer",
+    "tooling/ast_fuzzer/fuzz",
     "tooling/greybox_fuzzer",
     "tooling/fuzzer",
     "tooling/nargo",
@@ -146,6 +148,7 @@ prost = "0.13"
 prost-build = "0.13"
 protoc-prebuilt = "0.3"
 
+arbitrary = "1.4.1"
 cfg-if = "1.0.0"
 dirs = "4"
 serde = { version = "1.0.136", features = ["derive"] }
@@ -161,6 +164,7 @@ bincode = "1.3.3"
 hex = "0.4.2"
 const_format = "0.2.30"
 lazy_static = "1.4"
+libfuzzer-sys = "0.4"
 num-bigint = "0.4"
 num-traits = "0.2"
 similar-asserts = "1.5.0"

compiler/noirc_evaluator/src/ssa.rs

@@ -54,6 +54,7 @@ pub enum SsaLogging {
     Contains(String),
 }
 
+#[derive(Debug, Clone)]
 pub struct SsaEvaluatorOptions {
     /// Emit debug information for the intermediate SSA IR
     pub ssa_logging: SsaLogging,

compiler/noirc_frontend/src/monomorphization/ast.rs

@@ -77,7 +77,7 @@ pub enum Definition {
 
 /// ID of a local definition, e.g. from a let binding or
 /// function parameter that should be compiled before it is referenced.
-#[derive(Debug, Copy, Clone, PartialEq, Eq, Hash)]
+#[derive(Debug, Copy, Clone, PartialEq, Eq, Hash, PartialOrd, Ord)]
 pub struct LocalId(pub u32);
 
 /// A function ID corresponds directly to an index of `Program::globals`
@@ -152,12 +152,6 @@ pub struct Binary {
     pub location: Location,
 }
 
-#[derive(Debug, Clone)]
-pub struct Lambda {
-    pub function: Ident,
-    pub env: Ident,
-}
-
 #[derive(Debug, Clone, Hash)]
 pub struct If {
     pub condition: Box<Expression>,
@@ -329,7 +323,7 @@ pub struct Function {
 /// - Concrete lengths for each array and string
 /// - Several other variants removed (such as Type::Constant)
 /// - All structs replaced with tuples
-#[derive(Debug, PartialEq, Eq, Clone, Hash)]
+#[derive(Debug, PartialEq, Eq, Clone, Hash, PartialOrd, Ord)]
 pub enum Type {
     Field,
     Array(/*len:*/ u32, Box<Type>), // Array(4, Field) = [Field; 4]
@@ -449,8 +443,12 @@ impl std::ops::IndexMut<FuncId> for Program {
 
 impl std::fmt::Display for Program {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut printer = super::printer::AstPrinter::default();
+        for (id, expr) in &self.globals {
+            printer.print_global(id, expr, f)?;
+        }
         for function in &self.functions {
-            super::printer::AstPrinter::default().print_function(function, f)?;
+            printer.print_function(function, f)?;
         }
         Ok(())
     }

compiler/noirc_frontend/src/monomorphization/printer.rs

@@ -2,7 +2,7 @@
 
 use crate::ast::UnaryOp;
 
-use super::ast::{Definition, Expression, Function, LValue, While};
+use super::ast::{Definition, Expression, Function, GlobalId, LValue, While};
 use iter_extended::vecmap;
 use std::fmt::{Display, Formatter};
 
@@ -12,6 +12,19 @@ pub struct AstPrinter {
 }
 
 impl AstPrinter {
+    pub fn print_global(
+        &mut self,
+        id: &GlobalId,
+        expr: &Expression,
+        f: &mut Formatter,
+    ) -> std::fmt::Result {
+        // At the moment globals don't carry their name, nor a type.
+        write!(f, "global $g{} = ", id.0)?;
+        self.print_expr(expr, f)?;
+        write!(f, ";")?;
+        self.next_line(f)
+    }
+
     pub fn print_function(&mut self, function: &Function, f: &mut Formatter) -> std::fmt::Result {
         let params = vecmap(&function.parameters, |(id, mutable, name, typ)| {
             format!("{}{}$l{}: {}", if *mutable { "mut " } else { "" }, name, id.0, typ)

deny.toml

@@ -55,6 +55,8 @@ allow = [
     "MPL-2.0",
     # Boost Software License
     "BSL-1.0",
+    # libfuzzer-sys
+    "NCSA",
 ]
 
 # Allow 1 or more licenses on a per-crate basis, so that particular licenses

tooling/ast_fuzzer/Cargo.toml

@@ -0,0 +1,33 @@
+[package]
+name = "noir_ast_fuzzer"
+description = "A fuzzer generating arbitrary monomorphized ASTs and comparing the execution between ACIR and Brillig"
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+rust-version.workspace = true
+license.workspace = true
+
+[lints]
+workspace = true
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+[build-dependencies]
+build-data.workspace = true
+
+[dependencies]
+arbitrary.workspace = true
+color-eyre.workspace = true
+im.workspace = true
+proptest.workspace = true
+strum.workspace = true
+
+acir.workspace = true
+bn254_blackbox_solver.workspace = true
+nargo.workspace = true
+noirc_abi.workspace = true
+noirc_evaluator.workspace = true
+noirc_frontend.workspace = true
+noir_fuzzer.workspace = true
+
+[dev-dependencies]
+rand.workspace = true

tooling/ast_fuzzer/README.md

@@ -0,0 +1,40 @@
+# AST Fuzzer
+
+The AST Fuzzer generates arbitrary _monomorphized_ AST `Program` instances and
+executes them with various compilation strategies. For example we can:
+
+* compare the execution of and AST with minimal SSA passes versus the normal SSA flow, to test that all SSA transformations preserve behavior
+* perform random mutations on the AST that should preserve behavior, and check that the execution result with the full SSA flow is the same
+* compare ACIR and Brillig executions of the same AST
+
+The following command can be used to print some random AST to the console:
+
+```shell
+cargo run -p noir_ast_fuzzer --example sample
+```
+
+To run the fuzzer, pick one of the available targets:
+
+```console
+$ cd tooling/ast_fuzzer
+$ cargo fuzz list
+acir_vs_brillig
+init_vs_final
+orig_vs_mutant
+```
+
+and execute it with some time or execution limits:
+
+```shell
+cargo +nightly fuzz run init_vs_final -- -runs=1000 -max_total_time=60 -max_len=1048576
+```
+
+If there is an error, `cargo fuzz` will capture the artifacts required for a repeated run under the `artifacts` directory, and will print the command to run it again, which can be done with something like this:
+
+```shell
+NOIR_AST_FUZZER_DEBUG=1 cargo +nightly fuzz run -O init_vs_final fuzz/artifacts/init_vs_final/crash-fa077fcded882761fcf273eda7f429a833a80a7d
+```
+
+Note that `cargo fuzz` requires `nightly` build, which can be either turned on with the `cargo +nightly` flag, or by running `rustup default nightly`. Also note that `cargo fuzz run` automatically creates a `--release` build, there is no need for an explicit flag to be passed.
+
+The `NOIR_AST_FUZZER_DEBUG` env var can be used to print the AST before compilation.

tooling/ast_fuzzer/examples/sample.rs

@@ -0,0 +1,22 @@
+//! Print a random AST
+//!
+//! ```shell
+//! cargo run -p noir_ast_fuzzer --example sample
+//! ```
+use arbitrary::Unstructured;
+use noir_ast_fuzzer::{Config, arb_program};
+use rand::RngCore;
+
+fn main() {
+    let data = {
+        let mut rng = rand::thread_rng();
+        let mut data = [0u8; 1024 * 1024];
+        rng.fill_bytes(&mut data);
+        data
+    };
+    let mut u = Unstructured::new(&data);
+
+    let program = arb_program(&mut u, Config::default()).expect("arb_program");
+
+    println!("{program}");
+}

tooling/ast_fuzzer/fuzz/.gitignore

@@ -0,0 +1,4 @@
+target
+corpus
+artifacts
+coverage

tooling/ast_fuzzer/fuzz/Cargo.toml

@@ -0,0 +1,43 @@
+[package]
+name = "noir_ast_fuzzer_fuzz"
+description = "Targets for the AST fuzzer."
+version.workspace = true
+authors.workspace = true
+edition.workspace = true
+rust-version.workspace = true
+license.workspace = true
+publish = false
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+color-eyre.workspace = true
+libfuzzer-sys.workspace = true
+
+acir.workspace = true
+noirc_evaluator.workspace = true
+noirc_frontend.workspace = true
+
+noir_ast_fuzzer = { path = ".." }
+
+[[bin]]
+name = "init_vs_final"
+path = "fuzz_targets/init_vs_final.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "acir_vs_brillig"
+path = "fuzz_targets/acir_vs_brillig.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "orig_vs_mutant"
+path = "fuzz_targets/orig_vs_mutant.rs"
+test = false
+doc = false
+bench = false

tooling/ast_fuzzer/fuzz/README.md

@@ -0,0 +1,12 @@
+# AST fuzz targets
+
+This crate was created by `cargo fuzz init`. See more in https://rust-fuzz.github.io/book/cargo-fuzz/
+
+You can list the available targets with `cargo fuzz list`.
+
+Execute it with the following command:
+
+```shell
+cd tooling/ast_fuzzer
+cargo +nightly fuzz run <target>
+```