Add fuzz tests

[c410-f3r]

Also adds support for Clippy

Clippy

Has a bunch of useful security related lints that verifies poor handled code.

Fuzz tests

Verifies user inputs that could abort the runtime execution. Basically, anything that uses unwrap, expect, indexing or non-checked APIs like Vec::remove.
After running the targets for some time, no error was found.

@lsaether The error I talked earlier was a false-positive related to the maximum number of allowed threads, i.e., nothing related to our code-base.

[sea212]

Looks good overall. The general code quality definitively has been improved, thanks.
Is the only way to execute tests now by testing each crate on its own (or using the supplied test script)? I get an error when executing cargo test --features mock:

Running unittests (target/debug/deps/full_workflow-ba1fab45be0e51f1)
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 4172032396
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED exec/s: 0 rss: 64Mb
ERROR: no interesting inputs were found. Is the code instrumented for coverage? Exiting.
error: test failed, to rerun pass '-p zrml-prediction-markets-fuzz --bin full_workflow'

[sea212]

Is there really no other way to make fuzz use the mocks only when required? Feels very unnatural now to execute tests, because they demand --features mock (yet tests imply mocks)

[c410-f3r]

It is actually possible and easier to write

[dev-dependencies]
zrml-prediction-markets = { features = ["mock"], path = "." }

and then simply type

cargo test

So let's do it! We just need to be careful to not introduce cargo dependencies when publishing. Some projects had trouble in this scenario. For example, rust-lang/futures-rs#2305.

[sea212]

Many PM pallet functions are still missing. Are you planning to add them in a follow up PR?

[c410-f3r]

This subject can be tackled in different ways:

• One fuzzing target per module entry-point
• Specific workflows (join and then exit pool; create market, buy pool shares and then resolve; etc)
• Everything at once, i.e., call every entry-point in the same fuzzing target

So yeah, I am planning to research, add more targets that makes sense, extend to overbook-v1 and test possible internal mutations that could cause program abortion.
As soon as this PR is merged, I will open an issue to track everything

[c410-f3r]

Looks good overall. The general code quality definitively has been improved, thanks.
Is the only way to execute tests now by testing each crate on its own (or using the supplied test script)? I get an error when executing cargo test --features mock:

Running unittests (target/debug/deps/full_workflow-ba1fab45be0e51f1)
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 4172032396
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED exec/s: 0 rss: 64Mb
ERROR: no interesting inputs were found. Is the code instrumented for coverage? Exiting.
error: test failed, to rerun pass '-p zrml-prediction-markets-fuzz --bin full_workflow'

Sorry, didn't test cargo test in the root directory. This issue is now fixed

[lsaether]

This is great! It will improve our security and help us confidently build a safer runtime over time. Overall the code quality has been improved. LGTM

[c410-f3r]

Thanks @lsaether
All concerns of @sea212 were addressed so I will merge