Mercurial > hg
view tests/test-fuzz-targets.t @ 49000:dd6b67d5c256 stable
rust: fix unsound `OwningDirstateMap`
As per the previous patch, `OwningDirstateMap` is unsound. Self-referential
structs are difficult to implement correctly in Rust since the compiler is
free to move structs around as much as it wants to. They are also very rarely
needed in practice, so the state-of-the-art on how they should be done within
the Rust rules is still a bit new.
The crate `ouroboros` is an attempt at providing a safe way (in the Rust sense)
of declaring self-referential structs. It is getting a lot attention and was
improved very quickly when soundness issues were found in the past: rather than
relying on our own (limited) review circle, we might as well use the de-facto
common crate to fix this problem. This will give us a much better chance of
finding issues should any new ones be discovered as well as the benefit of
fewer `unsafe` APIs of our own.
I was starting to think about how I would present a safe API to the old struct
but soon realized that the callback-based approach was already done in
`ouroboros`, along with a lot more care towards refusing incorrect structs.
In short: we don't return a mutable reference to the `DirstateMap` anymore, we
expect users of its API to pass a `FnOnce` that takes the map as an argument.
This allows our `OwningDirstateMap` to control the input and output lifetimes
of the code that modifies it to prevent such issues.
Changing to `ouroboros` meant changing every API with it, but it is relatively
low churn in the end. It correctly identified the example buggy modification of
`copy_map_insert` outlined in the previous patch as violating the borrow rules.
Differential Revision: https://phab.mercurial-scm.org/D12429
author | Raphaël Gomès <rgomes@octobus.net> |
---|---|
date | Tue, 05 Apr 2022 10:55:28 +0200 |
parents | 1d075b857c90 |
children |
line wrap: on
line source
#require test-repo py3 $ cd $TESTDIR/../contrib/fuzz $ OUT=$TESTTMP ; export OUT which(1) could exit nonzero, but that's fine because we'll still end up without a valid executable, so we don't need to check $? here. $ if which gmake >/dev/null 2>&1; then > MAKE=gmake > else > MAKE=make > fi $ havefuzz() { > cat > $TESTTMP/dummy.cc <<EOF > #include <stdlib.h> > #include <stdint.h> > int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { return 0; } > int main(int argc, char **argv) { > const char data[] = "asdf"; > return LLVMFuzzerTestOneInput((const uint8_t *)data, 4); > } > EOF > $CXX $TESTTMP/dummy.cc -o $TESTTMP/dummy \ > -fsanitize=fuzzer-no-link,address || return 1 > } Try to find a python3-config that's next to our sys.executable. If that doesn't work, fall back to looking for a global python3-config and hope that works out for the best. $ PYBIN=`"$PYTHON" -c 'import sys, os; print(os.path.dirname(sys.executable))'` $ if [ -x "$PYBIN/python3-config" ] ; then > PYTHON_CONFIG="$PYBIN/python3-config" > else > PYTHON_CONFIG="`which python3-config`" > fi #if clang-libfuzzer $ CXX=clang++ havefuzz || exit 80 $ $MAKE -s clean all PYTHON_CONFIG="$PYTHON_CONFIG" #endif #if no-clang-libfuzzer clang-6.0 $ CXX=clang++-6.0 havefuzz || exit 80 $ $MAKE -s clean all CC=clang-6.0 CXX=clang++-6.0 PYTHON_CONFIG="$PYTHON_CONFIG" #endif #if no-clang-libfuzzer no-clang-6.0 $ exit 80 #endif $ cd $TESTTMP Run each fuzzer using dummy.cc as a fake input, to make sure it runs at all. In the future we should instead unpack the corpus for each fuzzer and use that instead. $ for fuzzer in `ls *_fuzzer | sort` ; do > echo run $fuzzer... > ./$fuzzer dummy.cc > /dev/null 2>&1 > done run bdiff_fuzzer... run dirs_fuzzer... run dirstate_fuzzer... run fm1readmarkers_fuzzer... run fncache_fuzzer... run jsonescapeu8fast_fuzzer... run manifest_fuzzer... run mpatch_fuzzer... run revlog_fuzzer... run xdiff_fuzzer... Clean up. $ cd $TESTDIR/../contrib/fuzz $ $MAKE -s clean