feat[test]: implement abi_decode spec test

[charles-cooper]

What I did

add a spec-based differential fuzzer test for abi_decode

How I did it

How to verify it

Commit message

this commit implements a spec-based differential fuzzer for
`abi_decode`.

it introduces several components:

- a "spec" implementation of `abi_decode`, which is how vyper's
  abi_decode should behave on a given payload, implemented in python

- a hypothesis strategy to draw vyper types

- hypothesis strategy to create valid data for a given vyper type

- a hypothesis strategy to _mutate_ a given payload which is designed
  to introduce faults in the decoder. testing indicated splicing
  pointers into the payload - either valid pointers or "nearly" valid
  pointers - had the highest success rate for finding bugs in the
  decoder. the intuition here is that the most difficult part of the
  decoder is validating out-of-bound pointers in the payload, so
  pointers represent "semantically high-value" data to the fuzzer.

- some hypothesis tuning to ensure a good distribution of types

over several days of testing+tuning, this fuzzer independently found
the bugs fixed in 44bb281ccaa and 21f7172274e (which were originally
found by manual review).

Description for the changelog

Cute Animal Picture

[cyberthirst]

this can also generate an empty list, no? Don't we want min_size=1?

[charles-cooper]

We want to test valid payloads too, we don't have to mutate the payload

[cyberthirst]

ok, i assumed we'd test valid payloads separately. we could enmurate all type combinations up to certain depth

[cyberthirst]

we deliberately don't use the rest of the actions?

[charles-cooper]

Yea, I was going to clean it up a bit. The edit, splice and flip actions turned out to not be very useful.

[cyberthirst]

max_mutations unused

[cyberthirst]

what is the reasoning behind using 33?
why is it ok to use 33 for all payloads, irrespective of their lengths? ie why do we assume this works well both for short and long payloads?

[charles-cooper]

It's about editing, you can add or delete one word (plus change)

[cyberthirst]

we bias towards the w action, which is word-level

[cyberthirst]

overall, i'm not sure about the byte-level mutation. if it happens on the length word, it will likely create an invalid length. if it happens on a pointer, it will likely create an invalid pointer (eg points to a too large address)

given the fairly low MAX_MUTATIONS if a bad byte mutation happens, I think there's a low probability of offsetting it with a "good" mutation

[cyberthirst]

like normal fuzzers do it on this level, but i think that the mutation depth there is much higher

[charles-cooper]

i think it's mostly useful for editing the "data" portion of the payload, like it produces off-by-ones (expected length is 32 but data is only actually 31)

[cyberthirst]

isn't 1024 unnecessarily large so it just slows down the tests? what cases might not be covered by eg 512?

[cyberthirst]

i think that for the sake of completeness, we should also test with dirty memory

let's consider that a ptr points outside the buffer to
a) dirty memory
b) clean memory

we currently only test for b) and require that the spec matches the implementation

the spec should always raise when ptr points outside the buffer. but what if the implementation doesn't revert when pointing outside the buffer to dirty memory?

[cyberthirst]

i'm not sure how useful this range is. the interesting values will be on it's boundaries but we can sample those for "cheaper"

in most cases we'll just sample some gigantic random number and i'd argue it will just hit the same code path each time (and for ptrs will mostly likely just oog)

[cyberthirst]

i think it's important to include structs - one of the original errors was incorrect validation of structs within dynarrays

[charles-cooper]

i think it's important to include structs - one of the original errors was incorrect validation of structs within dynarrays

I mean structs share the same code path as tuples, but with named fields in the front-end. I don't think we are missing much by not including them

[cyberthirst]

i think it's important to include structs - one of the original errors was incorrect validation of structs within dynarrays

I mean structs share the same code path as tuples, but with named fields in the front-end. I don't think we are missing much by not including them

we skip them for dynarrays, right?

[charles-cooper]

i think it's important to include structs - one of the original errors was incorrect validation of structs within dynarrays

I mean structs share the same code path as tuples, but with named fields in the front-end. I don't think we are missing much by not including them

we skip them for dynarrays, right?

Ah right, those are disallowed by the language semantics. Ok let's add them