Mercurial > hg
changeset 35670:2b9e2415f5b5
contrib: add some basic scaffolding for some fuzz test targets
I'd like to get the majority of our C code covered by automated fuzz
testing. I've started with bdiff because it was already decoupled from
libpython and therefore was fairly quick to produce a working
fuzzer. The code here is a little odd because I've been having trouble
convincing libfuzzer to define a main and I threw in the towel.
This code will also work with github.com/google/oss-fuzz, and once it
lands in our main repo I intend to enable automated fuzzing in
oss-fuzz with reports going to our security alias.
Differential Revision: https://phab.mercurial-scm.org/D1875
author | Augie Fackler <augie@google.com> |
---|---|
date | Wed, 17 Jan 2018 15:47:38 -0500 |
parents | 39499bc31fcd |
children | 8810f0643fa1 |
files | contrib/fuzz/Makefile contrib/fuzz/bdiff.cc tests/test-fuzz-targets.t |
diffstat | 3 files changed, 74 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/contrib/fuzz/Makefile Wed Jan 17 15:47:38 2018 -0500 @@ -0,0 +1,20 @@ +bdiff.o: ../../mercurial/bdiff.c + clang -g -O1 -fsanitize=fuzzer-no-link,address -c -o bdiff.o \ + ../../mercurial/bdiff.c + +bdiff: bdiff.cc bdiff.o + clang -DHG_FUZZER_INCLUDE_MAIN=1 -g -O1 -fsanitize=fuzzer-no-link,address \ + -I../../mercurial bdiff.cc bdiff.o -o bdiff + +bdiff-oss-fuzz.o: ../../mercurial/bdiff.c + $$CC $$CFLAGS -c -o bdiff-oss-fuzz.o ../../mercurial/bdiff.c + +bdiff_fuzzer: bdiff.cc bdiff-oss-fuzz.o + $$CXX $$CXXFLAGS -std=c++11 -I../../mercurial bdiff.cc \ + bdiff-oss-fuzz.o -lFuzzingEngine -o $$OUT/bdiff_fuzzer + +all: bdiff + +oss-fuzz: bdiff_fuzzer + +.PHONY: all oss-fuzz
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/contrib/fuzz/bdiff.cc Wed Jan 17 15:47:38 2018 -0500 @@ -0,0 +1,49 @@ +/* + * bdiff.cc - fuzzer harness for bdiff.c + * + * Copyright 2018, Google Inc. + * + * This software may be used and distributed according to the terms of + * the GNU General Public License, incorporated herein by reference. + */ +#include <stdlib.h> + +extern "C" { +#include "bdiff.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) +{ + if (!Size) { + return 0; + } + // figure out a random point in [0, Size] to split our input. + size_t split = Data[0] / 255.0 * Size; + + // left input to diff is data[1:split] + const uint8_t *left = Data + 1; + // which has len split-1 + size_t left_size = split - 1; + // right starts at the next byte after left ends + const uint8_t *right = left + left_size; + size_t right_size = Size - split; + + struct bdiff_line *a, *b; + int an = bdiff_splitlines((const char *)left, split - 1, &a); + int bn = bdiff_splitlines((const char *)right, right_size, &b); + struct bdiff_hunk l; + bdiff_diff(a, an, b, bn, &l); + free(a); + free(b); + bdiff_freehunks(l.next); + return 0; // Non-zero return values are reserved for future use. +} + +#ifdef HG_FUZZER_INCLUDE_MAIN +int main(int argc, char **argv) +{ + const char data[] = "asdf"; + return LLVMFuzzerTestOneInput((const uint8_t *)data, 4); +} +#endif + +} // extern "C"