convert all fuzztests from afl+honggfuzz to libfuzzer

honggfuzz is faster but has always been unreliable and frustrating to
keep working; I eventually removed it entirely from my local CI and we
removed it from the Github CI here in rust-elements.

AFL, meanwhile, I think we literally never used, though we copied it from
Matt's old rust-lightning stuff.

Anyway, something that works is better than something that's fast, so move
to libfuzzer, which I can run in both my local CI and in Github.

Author: apoelstra

.github/workflows/cron-daily-fuzz.yml

@@ -0,0 +1,69 @@
+# Automatically generated by fuzz/generate-files.sh
+name: Fuzz
+on:
+  schedule:
+    # 5am every day UTC, this correlates to:
+    # - 10pm PDT
+    # - 6am CET
+    # - 4pm AEDT
+    - cron: '00 05 * * *'
+permissions: {}
+
+jobs:
+  fuzz:
+    if: ${{ !github.event.act }}
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        fuzz_target: [
+          deserialize_block,
+          deserialize_output,
+          deserialize_pset,
+          deserialize_transaction,
+        ]
+    steps:
+      - name: Install test dependencies
+        run: sudo apt-get update -y && sudo apt-get install -y binutils-dev libunwind8-dev libcurl4-openssl-dev libelf-dev libdw-dev cmake gcc libiberty-dev
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        id: cache-fuzz
+        with:
+          path: |
+            ~/.cargo/bin
+            fuzz/target
+            target
+          key: cache-${{ matrix.target }}-${{ hashFiles('**/Cargo.toml','**/Cargo.lock') }}
+      - uses: dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 # stable
+        with:
+          toolchain: '1.74.0'
+      - name: fuzz
+        run: |
+          echo "Using RUSTFLAGS $RUSTFLAGS"
+          cd fuzz && ./fuzz.sh "${{ matrix.fuzz_target }}"
+      - run: echo "${{ matrix.fuzz_target }}" >executed_${{ matrix.fuzz_target }}
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: executed_${{ matrix.fuzz_target }}
+          path: executed_${{ matrix.fuzz_target }}
+
+  verify-execution:
+    if: ${{ !github.event.act }}
+    needs: fuzz
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      - run: cargo install --locked --version 0.12.0 cargo-fuzz
+      - name: Display structure of downloaded files
+        run: ls -R
+      - run: find executed_* -type f -exec cat {} + | sort > executed
+      - run: cargo fuzz list | sort | diff - executed

fuzz/Cargo.toml

@@ -1,38 +1,56 @@
 [package]
 name = "elements-fuzz"
+edition = "2021"
+rust-version = "1.74.0"
 version = "0.0.1"
-authors = ["Automatically generated"]
+authors = ["Generated by fuzz/generate-files.sh"]
 publish = false
-edition = "2018"
 
 [package.metadata]
 cargo-fuzz = true
 
-[features]
-afl_fuzz = ["afl"]
-honggfuzz_fuzz = ["honggfuzz"]
-
 [dependencies]
-honggfuzz = { version = "0.5", optional = true, default-features = false }
-afl = { version = "0.11", optional = true }
-elements = { path = "..", features = ["serde"] }
+elements = { path = "../", features = [ "serde" ] }
+libfuzzer-sys = { version = "0.4.0" }
 
-# Prevent this from interfering with workspaces
-[workspace]
-members = ["."]
+[lints.rust]
+unexpected_cfgs = { level = "deny", check-cfg = ['cfg(fuzzing)'] }
 
-[[bin]]
-name = "deserialize_transaction"
-path = "fuzz_targets/deserialize_transaction.rs"
+[lints.clippy]
+redundant_clone = "warn"
+use_self = "warn"
+
+[package.metadata.rbmt.lint]
+allowed_duplicates = [
+    "hex-conservative",
+    "getrandom",
+    "wasi",
+]
 
 [[bin]]
 name = "deserialize_block"
 path = "fuzz_targets/deserialize_block.rs"
+test = false
+doc = false
+bench = false
 
 [[bin]]
 name = "deserialize_output"
 path = "fuzz_targets/deserialize_output.rs"
+test = false
+doc = false
+bench = false
 
 [[bin]]
 name = "deserialize_pset"
 path = "fuzz_targets/deserialize_pset.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "deserialize_transaction"
+path = "fuzz_targets/deserialize_transaction.rs"
+test = false
+doc = false
+bench = false

fuzz/fuzz-util.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+# Sort order is affected by locale. See `man sort`.
+# > Set LC_ALL=C to get the traditional sort order that uses native byte values.
+export LC_ALL=C
+
+REPO_DIR=$(git rev-parse --show-toplevel)
+
+listTargetFiles() {
+  pushd "$REPO_DIR/fuzz" > /dev/null || exit 1
+  find fuzz_targets/ -type f -name "*.rs" | sort
+  popd > /dev/null || exit 1
+}
+
+targetFileToName() {
+  echo "$1" \
+    | sed 's/^fuzz_targets\///' \
+    | sed 's/\.rs$//' \
+    | sed 's/\//_/g' \
+    | sed 's/^_//g'
+}
+
+# Utility function to avoid CI failures on Windows
+checkWindowsFiles() {
+  incorrectFilenames=$(find . -type f -name "*,*" -o -name "*:*" -o -name "*<*" -o -name "*>*" -o -name "*|*" -o -name "*\?*" -o -name "*\**" -o -name "*\"*" | wc -l)
+  if [ "$incorrectFilenames" -gt 0 ]; then
+    echo "Bailing early because there is a Windows-incompatible filename in the tree."
+    exit 2
+  fi
+}
+
+# Checks whether a fuzz case has artifacts, and dumps them in hex
+checkReport() {
+  artifactDir="fuzz/artifacts/$1"
+  if [ -d "$artifactDir" ] && [ -n "$(ls -A "$artifactDir" 2>/dev/null)" ]; then
+    echo "Artifacts found for target: $1"
+    for artifact in "$artifactDir"/*; do
+      if [ -f "$artifact" ]; then
+        echo "Artifact: $(basename "$artifact")"
+        xxd -p -c10000 < "$artifact"
+      fi
+    done
+    exit 1
+  fi
+}

fuzz/fuzz_targets/deserialize_block.rs

@@ -1,5 +1,10 @@
+#![cfg_attr(fuzzing, no_main)]
+#![cfg_attr(not(fuzzing), allow(unused))]
 
-extern crate elements;
+use libfuzzer_sys::fuzz_target;
+
+#[cfg(not(fuzzing))]
+fn main() {}
 
 fn do_test(data: &[u8]) {
     let block_result: Result<elements::Block, _> = elements::encode::deserialize(data);
@@ -12,25 +17,9 @@ fn do_test(data: &[u8]) {
     }
 }
 
-#[cfg(feature = "afl")]
-extern crate afl;
-#[cfg(feature = "afl")]
-fn main() {
-    afl::read_stdio_bytes(|data| {
-        do_test(&data);
-    });
-}
-
-#[cfg(feature = "honggfuzz")]
-#[macro_use] extern crate honggfuzz;
-#[cfg(feature = "honggfuzz")]
-fn main() {
-    loop {
-        fuzz!(|data| {
-            do_test(data);
-        });
-    }
-}
+fuzz_target!(|data: &[u8]| {
+    do_test(data);
+});
 
 #[cfg(test)]
 mod tests {

fuzz/fuzz_targets/deserialize_output.rs

@@ -1,5 +1,10 @@
+#![cfg_attr(fuzzing, no_main)]
+#![cfg_attr(not(fuzzing), allow(unused))]
 
-extern crate elements;
+use libfuzzer_sys::fuzz_target;
+
+#[cfg(not(fuzzing))]
+fn main() {}
 
 fn do_test(data: &[u8]) {
     let result: Result<elements::TxOut, _> = elements::encode::deserialize(data);
@@ -18,25 +23,9 @@ fn do_test(data: &[u8]) {
     }
 }
 
-#[cfg(feature = "afl")]
-extern crate afl;
-#[cfg(feature = "afl")]
-fn main() {
-    afl::read_stdio_bytes(|data| {
-        do_test(&data);
-    });
-}
-
-#[cfg(feature = "honggfuzz")]
-#[macro_use] extern crate honggfuzz;
-#[cfg(feature = "honggfuzz")]
-fn main() {
-    loop {
-        fuzz!(|data| {
-            do_test(data);
-        });
-    }
-}
+fuzz_target!(|data: &[u8]| {
+    do_test(data);
+});
 
 #[cfg(test)]
 mod tests {

fuzz/fuzz_targets/deserialize_pset.rs

@@ -1,5 +1,10 @@
+#![cfg_attr(fuzzing, no_main)]
+#![cfg_attr(not(fuzzing), allow(unused))]
 
-extern crate elements;
+use libfuzzer_sys::fuzz_target;
+
+#[cfg(not(fuzzing))]
+fn main() {}
 
 fn do_test(data: &[u8]) {
     let psbt: Result<elements::pset::PartiallySignedTransaction, _> = elements::encode::deserialize(data);
@@ -14,25 +19,9 @@ fn do_test(data: &[u8]) {
     }
 }
 
-#[cfg(feature = "afl")]
-extern crate afl;
-#[cfg(feature = "afl")]
-fn main() {
-    afl::read_stdio_bytes(|data| {
-        do_test(&data);
-    });
-}
-
-#[cfg(feature = "honggfuzz")]
-#[macro_use] extern crate honggfuzz;
-#[cfg(feature = "honggfuzz")]
-fn main() {
-    loop {
-        fuzz!(|data| {
-            do_test(data);
-        });
-    }
-}
+fuzz_target!(|data: &[u8]| {
+    do_test(data);
+});
 
 #[cfg(test)]
 mod tests {

fuzz/fuzz_targets/deserialize_transaction.rs

@@ -1,5 +1,10 @@
+#![cfg_attr(fuzzing, no_main)]
+#![cfg_attr(not(fuzzing), allow(unused))]
 
-extern crate elements;
+use libfuzzer_sys::fuzz_target;
+
+#[cfg(not(fuzzing))]
+fn main() {}
 
 fn do_test(data: &[u8]) {
     let tx_result: Result<elements::Transaction, _> = elements::encode::deserialize(data);
@@ -31,25 +36,9 @@ fn do_test(data: &[u8]) {
     }
 }
 
-#[cfg(feature = "afl")]
-extern crate afl;
-#[cfg(feature = "afl")]
-fn main() {
-    afl::read_stdio_bytes(|data| {
-        do_test(&data);
-    });
-}
-
-#[cfg(feature = "honggfuzz")]
-#[macro_use] extern crate honggfuzz;
-#[cfg(feature = "honggfuzz")]
-fn main() {
-    loop {
-        fuzz!(|data| {
-            do_test(data);
-        });
-    }
-}
+fuzz_target!(|data: &[u8]| {
+    do_test(data);
+});
 
 #[cfg(test)]
 mod tests {