New Target for BeaconVote Decode Encode

[armaganyildirak]

This PR adds a new fuzzing target for BeaconVote encode/decode.

The goal is to increase code coverage for SSV clients by testing how BeaconVote data is serialized and deserialized in Rust and Go.

• The fuzzer must explore many BeaconVote scenarios to check that encoding and decoding are consistent across implementations.

• The inputs are valid BeaconVotes, malformed cases, and SSZ structure edge cases.

• Corpus generator for these inputs, plus the registration of the new target in the fuzzing pipeline.

[Copilot]

Pull Request Overview

Adds a new differential fuzzing target for BeaconVote SSZ encoding/decoding to compare Go and Rust implementations for potential network consensus issues.

• Implements diff_fuzz_beacon_vote_decode_encode target with Rust fuzzing harness and Go FFI integration
• Adds comprehensive corpus generation with valid BeaconVotes, malformed cases, and SSZ structure edge cases
• Integrates the new target into the fuzzing infrastructure with proper categorization as high-priority

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
run_fuzzer.sh	Adds beacon vote target to high-priority differential fuzzing list
fuzz/fuzz_targets/differential/diff_fuzz_beacon_vote_decode_encode.rs	Implements Rust side of differential fuzzing for BeaconVote encode/decode
fuzz/Cargo.toml	Registers the new beacon vote fuzzing target binary
diff_fuzzing/src/lib.rs	Adds Go FFI wrapper for beacon vote decode/encode operations
diff_fuzzing/sfuzz.go	Implements Go-side BeaconVote SSZ decode/encode with FFI export
corpus_generator/src/main.rs	Registers beacon vote generator in the main corpus generator registry
corpus_generator/src/generators/mod.rs	Exports BeaconVote generator module
corpus_generator/src/generators/beacon_vote.rs	Implements comprehensive corpus generation for BeaconVote fuzzing scenarios

Comments suppressed due to low confidence (1)

diff_fuzzing/sfuzz.go:415

• [nitpick] This appears to be only indentation/formatting changes to existing code. These formatting changes are not directly related to the BeaconVote feature and should be separated into a different commit.

	message, err := specqbft.NewProcessingMessage(msg)
	if err != nil {
		panic(err.Error())
	}

	var log = zap.NewNop()
	if fInst.debug {
		log, _ = zap.NewDevelopment()
	}
	_, _, _, err = fInst.instance.ProcessMsg(context.TODO(), log, message)
	if err != nil {
		println(err.Error())
		// Do not return an error, as this error might be appropriate for input message.
		// Just compare the outputted messages in the harness.
	}

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

[nitpick] The import reordering appears unnecessary and makes the diff harder to read. Consider keeping imports in their original order unless there's a specific reason for the change.

[Copilot]

[nitpick] This formatting change from msgIdx++; to msgIdx++ is unrelated to the BeaconVote functionality and should be separated into a different commit.

[Copilot]

The comparison should be against out_size directly since it's already an int parameter, not cast it from something else. The cast int(out_size) suggests out_size might be a different type, but the function signature shows it as int.

Suggested change

	if len(result) > int(out_size) {
	if len(result) > out_size {

[diegomrsantos]

Should it be != 32?

[armaganyildirak]

I think (but I'm not sure), according to BeaconVote, an SSZ BeaconVote contains multiple 32-byte roots (block_root, source.root, target.root) plus epochs, so the minimum valid SSZ size is well above 32 bytes. The check data.len() < 32 quickly rejects obviously too-short inputs. Using != 32 would wrongly reject all valid encodings, since real BeaconVote encodings are typically much larger than exactly 32 bytes.

[diegomrsantos]

I don't know what the correct size is, but does it change? Apparently, it's like this (needs confirmation):

SSV BeaconVote structure:

  pub struct BeaconVote {
      pub block_root: Hash256,  // 32 bytes
      pub source: Checkpoint,   // 40 bytes  
      pub target: Checkpoint,   // 40 bytes
  }

  Breakdown:
  - block_root (Hash256): 32 bytes
  - source (Checkpoint): 40 bytes
    - epoch (uint64): 8 bytes
    - root (Hash256): 32 bytes
  - target (Checkpoint): 40 bytes
    - epoch (uint64): 8 bytes
    - root (Hash256): 32 bytes

  Total: 32 + 40 + 40 = 112 bytes

So every size different from this should be invalid?

[armaganyildirak]

You're right. BeaconVote is a fixed-size SSZ container, so any size other than exactly 112 bytes is invalid. The current < 32 check is wrong, it should be != 112 since SSZ guarantees deterministic encoding for fixed structures with no size variation possible.

[diegomrsantos]

Not related to this PR, but not sure get_critical_size_boundaries is a descriptive name

[diegomrsantos]

Why do we return this here and stop validation?

[armaganyildirak]

My idea was, when the input length matches a critical boundary size, we don’t mark it as valid or invalid right away. Instead, we label it as ValidationResult::Boundary and keep it for testing edge cases about size. By returning at this point, we stop normal validation. This way, the input isn’t thrown away or used up, but saved in the corpus as a special boundary case.

[diegomrsantos]

What do you mean by critical? Why (1_000, "small_message"), would be relevant for a BeaconVote?

[armaganyildirak]

By critical, I mean sizes that are interesting for testing, not normal BeaconVotes. We keep very small, very large, or exact boundary sizes to check if the decoder crashes or has off-by-one bugs. That’s why we return Boundary and stop normal validation. I followed the style of previous generators, but we can change it if you have a different idea.

[diegomrsantos]

I checked this one

ssv-fuzz/corpus_generator/src/generators/ssv_message.rs

Line 18 in c6c55db

fn validate_corpus_entry(&self, data: &[u8]) -> Result<ValidationResult, Box<dyn std::error::Error>> {

and it doesn't seem to do that

[diegomrsantos]

And I'm not sure we can generalize boundaries for different types. Wouldn't they be like type_size, type_size - 1, type_size + 1?

[armaganyildirak]

You are right, the ssv_message generator does not use this boundary logic. I followed what I saw in some other generators, but maybe it is not the best fit here.

[diegomrsantos]

What usize means here? What kind of error could this function return if it's supposed to generate valid beacon votes?

[armaganyildirak]

The usize in the return type is the count of files generated (how many valid beacon votes were written to the corpus). I just follow the previous generator implementations because all of them return the same output (

ssv-fuzz/corpus_generator/src/generators/message_id.rs

Line 61 in c4003cf

fn generate_validator_key_boundaries(&self, output_dir: &Path) -> Result<usize, Box<dyn std::error::Error>> {

)