anza-xyz · buffalojoec · Oct 15, 2025 · Oct 9, 2025 · Oct 10, 2025 · Oct 10, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -105,6 +105,7 @@ members = [
     "svm",
     "svm-callback",
     "svm-feature-set",
+    "svm-fuzz-harness",
     "svm-log-collector",
     "svm-measure",
     "svm-timings",
@@ -531,6 +532,7 @@ solana-streamer = { path = "streamer", version = "=3.1.0" }
 solana-svm = { path = "svm", version = "=3.1.0" }
 solana-svm-callback = { path = "svm-callback", version = "=3.1.0" }
 solana-svm-feature-set = { path = "svm-feature-set", version = "=3.1.0" }
+solana-svm-fuzz-harness = { path = "svm-fuzz-harness", version = "=3.1.0" }
 solana-svm-log-collector = { path = "svm-log-collector", version = "=3.1.0" }
 solana-svm-measure = { path = "svm-measure", version = "=3.1.0" }
 solana-svm-timings = { path = "svm-timings", version = "=3.1.0" }

@@ -1550,7 +1550,14 @@ fn execute<'a, 'b: 'a>(
                 Err(Box::new(error) as Box<dyn std::error::Error>)
             }
             ProgramResult::Err(mut error) => {
-                if !matches!(error, EbpfError::SyscallError(_)) {
+                // Don't clean me up!!
+                // This feature is active on all networks, but we still toggle
+                // it off during fuzzing.
+                if invoke_context
+                    .get_feature_set()
+                    .deplete_cu_meter_on_vm_failure
+                    && !matches!(error, EbpfError::SyscallError(_))
+                {
                     // when an exception is thrown during the execution of a
                     // Basic Block (e.g., a null memory dereference or other
                     // faults), determining the exact number of CUs consumed

diff --git a/svm-fuzz-harness/.gitignore b/svm-fuzz-harness/.gitignore
@@ -0,0 +1 @@
+dump
diff --git a/svm-fuzz-harness/Cargo.toml b/svm-fuzz-harness/Cargo.toml
@@ -0,0 +1,56 @@
+[package]
+name = "solana-svm-fuzz-harness"
+description = "Solana SVM fuzzing harnesses."
+documentation = "https://docs.rs/solana-svm-fuzz-harness"
+version = { workspace = true }
+authors = { workspace = true }
+repository = { workspace = true }
+homepage = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = false
+
+[lib]
+crate-type = ["cdylib", "rlib"]
+
+[[bin]]
+name = "test_exec_instr"
+path = "bin/test_exec_instr.rs"
+
+[dependencies]
+agave-feature-set = { workspace = true }
+agave-precompiles = { workspace = true }
+agave-syscalls = { workspace = true }
+bincode = { workspace = true }
+clap = { version = "4.5.2", features = ["derive"] }
+prost = { workspace = true }
+protosol = { git = "https://github.com/firedancer-io/protosol", tag = "v1.0.2" }
+solana-account = { workspace = true }
+solana-builtins = { workspace = true }
+solana-clock = { workspace = true, features = ["sysvar"] }
+solana-compute-budget = { workspace = true }
+solana-epoch-schedule = { workspace = true, features = ["sysvar"] }
+solana-hash = { workspace = true }
+solana-instruction = { workspace = true }
+solana-instruction-error = { workspace = true, features = ["serde"] }
+solana-last-restart-slot = { workspace = true, features = ["sysvar"] }
+solana-logger = { workspace = true }
+solana-precompile-error = { workspace = true }
+solana-program-runtime = { workspace = true }
+solana-pubkey = { workspace = true }
+solana-rent = { workspace = true, features = ["sysvar"] }
+solana-sdk-ids = { workspace = true }
+solana-stable-layout = { workspace = true }
+solana-svm = { workspace = true }
+solana-svm-callback = { workspace = true }
+solana-svm-log-collector = { workspace = true }
+solana-svm-timings = { workspace = true }
+solana-sysvar-id = { workspace = true }
+solana-transaction-context = { workspace = true }
+thiserror = { workspace = true }
+
+[build-dependencies]
+prost-build = { workspace = true }
+
+[lints]
+workspace = true
diff --git a/svm-fuzz-harness/Makefile b/svm-fuzz-harness/Makefile
@@ -0,0 +1,7 @@
+
+CARGO?=cargo
+
+test: | binaries
+
+binaries:
+	$(CARGO) build --manifest-path ./Cargo.toml --bins --release
diff --git a/svm-fuzz-harness/bin/test_exec_instr.rs b/svm-fuzz-harness/bin/test_exec_instr.rs
@@ -0,0 +1,52 @@
+use {
+    clap::Parser,
+    prost::Message,
+    solana_svm_fuzz_harness::{
+        fixture::proto::InstrFixture as ProtoInstrFixture, instr::execute_instr_proto,
+    },
+    std::path::PathBuf,
+};
+
+#[derive(Parser)]
+#[command(version, about, long_about = None)]
+struct Cli {
+    inputs: Vec<PathBuf>,
+}
+
+fn exec(input: &PathBuf) -> bool {
+    let blob = std::fs::read(input).unwrap();
+    let fixture = ProtoInstrFixture::decode(&blob[..]).unwrap();
+    let Some(context) = fixture.input else {
+        println!("No context found.");
+        return false;
+    };
+
+    let Some(expected) = fixture.output else {
+        println!("No fixture found.");
+        return false;
+    };
+    let Some(effects) = execute_instr_proto(context) else {
+        println!("FAIL: No instruction effects returned for input: {input:?}",);
+        return false;
+    };
+
+    let ok = effects == expected;
+
+    if ok {
+        println!("OK: {input:?}");
+    } else {
+        println!("FAIL: {input:?}");
+    }
+    ok
+}
+
+fn main() {
+    let cli = Cli::parse();
+    let mut fail_cnt: i32 = 0;
+    for input in cli.inputs {
+        if !exec(&input) {
+            fail_cnt = fail_cnt.saturating_add(1);
+        }
+    }
+    std::process::exit(fail_cnt);
+}
diff --git a/svm-fuzz-harness/build.rs b/svm-fuzz-harness/build.rs
@@ -0,0 +1,40 @@
+use std::{env, fs, path::PathBuf};
+
+fn main() -> Result<(), Box<dyn std::error::Error>> {
+    // Get absolute proto dir from producer
+    let proto_dir = PathBuf::from(
+        env::var("DEP_PROTOSOL_PROTO_DIR")
+            .expect("protosol did not expose PROTO_DIR, did protosol build.rs run first?"),
+    );
+
+    println!("cargo:rerun-if-env-changed=DEP_PROTOSOL_PROTO_DIR");
+    println!("cargo:rerun-if-changed={}", proto_dir.display());
+
+    // Collect absolute .proto paths
+    let mut proto_files = vec![];
+    for entry in fs::read_dir(&proto_dir)? {
+        let path = entry?.path();
+        if path.extension().and_then(|e| e.to_str()) == Some("proto") {
+            println!("cargo:rerun-if-changed={}", path.display());
+            proto_files.push(path);
+        }
+    }
+
+    // Ensure deterministic order for rebuilds
+    proto_files.sort();
+
+    // Compile protos into Rust
+    let out_dir = PathBuf::from(env::var("OUT_DIR")?);
+    let mut config = prost_build::Config::new();
+    config.out_dir(&out_dir);
+
+    config.compile_protos(
+        &proto_files
+            .iter()
+            .map(|p| p.display().to_string())
+            .collect::<Vec<_>>(),
+        &[proto_dir.to_str().unwrap()],
+    )?;
+
+    Ok(())
+}
diff --git a/svm-fuzz-harness/src/fixture/account_state.rs b/svm-fuzz-harness/src/fixture/account_state.rs
@@ -0,0 +1,58 @@
+use {
+    super::{error::FixtureError, proto::AcctState as ProtoAccount},
+    solana_account::Account,
+    solana_pubkey::Pubkey,
+};
+
+// Default `rent_epoch` field value for all accounts.
+const RENT_EXEMPT_RENT_EPOCH: u64 = u64::MAX;
+
+impl TryFrom<ProtoAccount> for (Pubkey, Account) {
+    type Error = FixtureError;
+
+    fn try_from(value: ProtoAccount) -> Result<Self, Self::Error> {
+        let ProtoAccount {
+            address,
+            owner,
+            lamports,
+            data,
+            executable,
+            ..
+        } = value;
+
+        let pubkey = Pubkey::try_from(address).map_err(FixtureError::InvalidPubkeyBytes)?;
+        let owner = Pubkey::try_from(owner).map_err(FixtureError::InvalidPubkeyBytes)?;
+
+        Ok((
+            pubkey,
+            Account {
+                data,
+                executable,
+                lamports,
+                owner,
+                rent_epoch: RENT_EXEMPT_RENT_EPOCH,
+            },
+        ))
+    }
+}
+
+impl From<(Pubkey, Account)> for ProtoAccount {
+    fn from(value: (Pubkey, Account)) -> Self {
+        let Account {
+            lamports,
+            data,
+            owner,
+            executable,
+            ..
+        } = value.1;
+
+        ProtoAccount {
+            address: value.0.to_bytes().to_vec(),
+            owner: owner.to_bytes().to_vec(),
+            lamports,
+            data,
+            executable,
+            seed_addr: None,
+        }
+    }
+}
diff --git a/svm-fuzz-harness/src/fixture/error.rs b/svm-fuzz-harness/src/fixture/error.rs
@@ -0,0 +1,13 @@
+use thiserror::Error;
+
+#[derive(Debug, Error, PartialEq)]
+pub enum FixtureError {
+    #[error("Invalid fixture input")]
+    InvalidFixtureInput,
+
+    #[error("Invalid public key bytes")]
+    InvalidPubkeyBytes(Vec<u8>),
+
+    #[error("An account is missing for instruction account index {0}")]
+    AccountMissingForInstrAccount(usize),
+}
diff --git a/svm-fuzz-harness/src/fixture/feature_set.rs b/svm-fuzz-harness/src/fixture/feature_set.rs
@@ -0,0 +1,37 @@
+use {
+    super::proto::FeatureSet as ProtoFeatureSet,
+    agave_feature_set::{FeatureSet, FEATURE_NAMES},
+    solana_pubkey::Pubkey,
+    std::{collections::HashMap, sync::LazyLock},
+};
+
+const fn feature_u64(feature: &Pubkey) -> u64 {
+    let feature_id = feature.to_bytes();
+    feature_id[0] as u64
+        | (feature_id[1] as u64) << 8
+        | (feature_id[2] as u64) << 16
+        | (feature_id[3] as u64) << 24
+        | (feature_id[4] as u64) << 32
+        | (feature_id[5] as u64) << 40
+        | (feature_id[6] as u64) << 48
+        | (feature_id[7] as u64) << 56
+}
+
+static INDEXED_FEATURES: LazyLock<HashMap<u64, Pubkey>> = LazyLock::new(|| {
+    FEATURE_NAMES
+        .iter()
+        .map(|(pubkey, _)| (feature_u64(pubkey), *pubkey))
+        .collect()
+});
+
+impl From<&ProtoFeatureSet> for FeatureSet {
+    fn from(value: &ProtoFeatureSet) -> Self {
+        let mut feature_set = FeatureSet::default();
+        for id in &value.features {
+            if let Some(pubkey) = INDEXED_FEATURES.get(id) {
+                feature_set.activate(pubkey, 0);
+            }
+        }
+        feature_set
+    }
+}