Skip to content

Canary audit SSA fuzzing#8407

Closed
michaeljklein wants to merge 3 commits intomasterfrom
michaeljklein/canary-ssa-fuzzing
Closed

Canary audit SSA fuzzing#8407
michaeljklein wants to merge 3 commits intomasterfrom
michaeljklein/canary-ssa-fuzzing

Conversation

@michaeljklein
Copy link
Contributor

@michaeljklein michaeljklein commented May 7, 2025
edited
Loading

Description

Problem*

Summary*

  • Testing target SSA passes w/ existing ssa_fuzzer
  • Adding a new fuzz target w/ cargo-afl

Additional Context

Documentation*

Check one:

  • No documentation needed.
  • Documentation included in this PR.
  • [For Experimental Features] Documentation to be submitted in a separate PR.

PR Checklist*

  • I have tested the changes locally.
  • I have formatted the changes with Prettier and/or cargo fmt on default settings.

@michaeljklein
add 'skip_remove_unreachable: bool' option to test w/ 'ssa_fuzzer', a…
6f36d0b 
…dd empty afl fuzz target, use 'skip_remove_unreachable' in 'ssa_fuzzer'
@michaeljklein
crashes
c96c866
aakoshh
aakoshh reviewed May 8, 2025
View reviewed changes
compiler/noirc_evaluator/src/ssa.rs
Comment on lines 141 to +143
pub fn primary_passes(options: &SsaEvaluatorOptions) -> Vec<SsaPass> {
vec![
SsaPass::new(Ssa::remove_unreachable_functions, "Removing Unreachable Functions"),
opt_remove_unreachable_functions(options.skip_remove_unreachable, "Removing Unreachable Functions"),
Copy link
Contributor

@aakoshh aakoshh May 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if we modify the SSA pipeline for testing, then we should do it in a more generic way, for example by passing additional parameters to the SsaBuilder:

  • a set of msg values to skip in the pipeline
  • a number of passes after which to stop modifying the SSA
  • a number of passes to skip before starting to modify the SSA

That way we can turn anything off, for example we could say something along the lines of:

let ssa0 = gen_initial_ssa(ast);
let ssa1 = SsaBuilder::new(ssa0).limit(10).build();
let ssa2 = SsaBuilder::new(ssa1).skip(10).limit(1).build();

In this example the only difference between ssa1 and ssa2 would be that ssa1 has step 11 applied on it.

I could use this as well in #8413 ; I'll try to open a PR to do it.

Copy link
Contributor

@aakoshh aakoshh May 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On second thought: it would be unnecessary to add this SQL-like offset and limit to the SsaBuilder, since if one has access to the builder to capture the SSA at those stages, then one can just pass the list of steps already limited to what they want, and stopping the pipeline in the general use case could prevent the creation of valid Brillig or ACIR bytecode anyway.

I added the option to filter any pass by message in #8416

Copy link
Contributor Author

@michaeljklein michaeljklein May 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if we modify the SSA pipeline for testing, then we should do it in a more generic way, for example by passing additional parameters to the SsaBuilder

I agree. I thought it would be useful to have a more generic method, but chose this to get the fuzzer running sooner.

My plan is to keep using the bool for this pass/fuzzer (at least until the end of the canary audit) and use your "filter any pass by message" feature for the other passes.

@michaeljklein michaeljklein mentioned this pull request May 8, 2025
Closed
5 tasks
@michaeljklein michaeljklein mentioned this pull request May 22, 2025
Draft
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aakoshh aakoshh aakoshh left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michaeljklein @aakoshh