Fix Fuzzing setup for Linux

c8ae8d7d · Dominik Loidolt · 010c455d · c8ae8d7d · c8ae8d7d · c8ae8d7d
Commit c8ae8d7d authored 8 months ago by Dominik Loidolt
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -152,7 +152,7 @@ meson setup builddir_fuzzing \
  --buildtype=plain \
  -Dfuzzer=enabled \
  -Dfuzzer_ldflags=-fsanitize=fuzzer \
-  -Dc_args="-O1 -gline-tables-only -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" \
+  -Dc_args="-O1 -gline-tables-only -fsanitize=fuzzer-no-link" \
  -Db_sanitize=address,undefined \
  -Ddebug_level=0 \
  -Ddefault_library=static \

--- a/test/fuzz/fuzz_compression.c
+++ b/test/fuzz/fuzz_compression.c
@@ -26,7 +26,6 @@

 #include "fuzz_helpers.h"
 #include "fuzz_data_producer.h"
-#include "../test_common/test_common.h"

 #include "../../lib/cmp_chunk.h"

@@ -62,7 +61,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 	if (cmp_is_error(cmp_size_bound))
 		cmp_size_bound = 0;
 	cmp_data_capacity = FUZZ_dataProducer_uint32Range(producer, 0, cmp_size_bound+(uint32_t)size);
-	cmp_data = (uint32_t *)TEST_malloc(cmp_data_capacity);
+	cmp_data = (uint32_t *)FUZZ_malloc(cmp_data_capacity);

 	FUZZ_dataProducer_cmp_par(producer, &cmp_par);
 	if (FUZZ_dataProducer_uint32Range(producer, 0, 1))
@@ -74,10 +73,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 		up_model = NULL;
 		break;
 	case 1:
-		up_model = TEST_malloc(size);
+		up_model = FUZZ_malloc(size);
 		break;
 	case 2:
-		up_model = TEST_malloc(size);
+		up_model = FUZZ_malloc(size);
 		if (model && up_model) {
 			memcpy(up_model, model, size);
 			model = up_model; /* in-place update */

--- a/test/fuzz/fuzz_data_producer.c
+++ b/test/fuzz/fuzz_data_producer.c
@@ -23,7 +23,6 @@

 #include "fuzz_helpers.h"
 #include "fuzz_data_producer.h"
-#include "../test_common/test_common.h"
 #include <cmp_chunk.h>

 struct FUZZ_dataProducer_s{
@@ -32,7 +31,7 @@ struct FUZZ_dataProducer_s{
 };

 FUZZ_dataProducer_t *FUZZ_dataProducer_create(const uint8_t *data, size_t size) {
-    FUZZ_dataProducer_t *producer = TEST_malloc(sizeof(FUZZ_dataProducer_t));
+    FUZZ_dataProducer_t *producer = FUZZ_malloc(sizeof(FUZZ_dataProducer_t));

    producer->data = data;
    producer->size = size;

--- a/test/fuzz/fuzz_decompression.c
+++ b/test/fuzz/fuzz_decompression.c
@@ -22,7 +22,6 @@

 #include "fuzz_helpers.h"
 #include "fuzz_data_producer.h"
-#include "../test_common/test_common.h"

 #include "../../lib/decmp.h"

@@ -77,10 +76,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 		up_model_buf = NULL;
 		break;
 	case 1:
-		up_model_buf = TEST_malloc(model_of_data_size);
+		up_model_buf = FUZZ_malloc(model_of_data_size);
 		break;
 	case 2: /* in-place update */
-		up_model_buf = TEST_malloc(model_of_data_size);
+		up_model_buf = FUZZ_malloc(model_of_data_size);
 		if (model_of_data && up_model_buf) {
 			memcpy(up_model_buf, model_of_data, model_of_data_size);
 			model_of_data = up_model_buf;
@@ -90,7 +89,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 		FUZZ_ASSERT(0);
 	}

-	decompressed_data = TEST_malloc((size_t)model_of_data_size);
+	decompressed_data = FUZZ_malloc((size_t)model_of_data_size);
 	decompress_cmp_entiy_save(ent, ent_size, model_of_data, up_model_buf, decompressed_data, model_of_data_size);

 	free(up_model_buf);

--- a/test/fuzz/fuzz_helpers.c
+++ b/test/fuzz/fuzz_helpers.c
+/*
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ * All rights reserved.
+ *
+ * This source code is licensed under both the BSD-style license (found in the
+ * LICENSE.BSD-3.Zstandard file in the 3rdparty_licenses directory) and the GPLv2
+ * (found in the LICENSE.GPL-2 file in the 3rdparty_licenses directory).
+ * You may select, at your option, one of the above-listed licenses.
+ */
+
+/**
+ * Helper functions for fuzzing.
+ */
+
+#include <stdlib.h>
+
+#include "fuzz_helpers.h"
+
+
+void* FUZZ_malloc(size_t size)
+{
+    if (size > 0) {
+        void* const mem = malloc(size);
+        FUZZ_ASSERT(mem);
+        return mem;
+    }
+    return NULL;
+}
--- a/test/fuzz/fuzz_helpers.h
+++ b/test/fuzz/fuzz_helpers.h
@@ -35,6 +35,8 @@ extern "C" {
             abort()))
 #define FUZZ_ASSERT(cond) FUZZ_ASSERT_MSG((cond), "");

+void* FUZZ_malloc(size_t size);
+
 #ifdef __cplusplus
 }
 #endif

--- a/test/fuzz/fuzz_round_trip.c
+++ b/test/fuzz/fuzz_round_trip.c
@@ -27,7 +27,6 @@
 #include "fuzz_helpers.h"
 #include "fuzz_data_producer.h"
 #include "../test_common/chunk_round_trip.h"
-#include "../test_common/test_common.h"


 int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
@@ -62,7 +61,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)

 	/* 1/2 of the cases we use a updated model buffer */
 	if (FUZZ_dataProducer_uint32Range(producer, 0, 1)) {
-		up_model = TEST_malloc(size);
+		up_model = FUZZ_malloc(size);
 		if (!model_mode_is_used(cmp_par.cmp_mode))
 			memset(up_model, 0, size); /* up_model is not used */
 	}
@@ -71,7 +70,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
 	if (cmp_is_error(cmp_size_bound))
 		cmp_size_bound = 0;
 	cmp_data_capacity = FUZZ_dataProducer_uint32Range(producer, 0, cmp_size_bound+(uint32_t)size);
-	cmp_data = (uint32_t *)TEST_malloc(cmp_data_capacity);
+	cmp_data = (uint32_t *)FUZZ_malloc(cmp_data_capacity);

 	use_decmp_buf = FUZZ_dataProducer_int32Range(producer, 0, 1);
 	use_decmp_up_model = FUZZ_dataProducer_int32Range(producer, 0, 1);

--- a/test/fuzz/meson.build
+++ b/test/fuzz/meson.build
@@ -2,7 +2,7 @@ if get_option('fuzzer').disabled()
  subdir_done()
 endif

-fuzz_common = files('fuzz_data_producer.c')
+fuzz_common = files('fuzz_data_producer.c', 'fuzz_helpers.c')
 fuzz_targets = ['fuzz_compression.c', 'fuzz_round_trip.c', 'fuzz_decompression.c']

 add_languages('cpp', native: false) # libFuzzingEngine needs c++
@@ -12,9 +12,9 @@ foreach target : fuzz_targets
  target_name = file_name.split('.').get(0)

  fuzz_exe = executable(target_name,
-    fuzz_common, file_name,
+    fuzz_common, chunk_round_trip, file_name,
    include_directories : incdir,
-    link_with : [cmp_lib, test_common_lib],
+    link_with : [cmp_lib],
    link_args : get_option('fuzzer_ldflags'),
    link_language : 'cpp' # libFuzzingEngine needs c++
  )

--- a/test/test_common/chunk_round_trip.c
+++ b/test/test_common/chunk_round_trip.c
@@ -32,6 +32,26 @@
 #endif


+
+/**
+ * @brief allocates memory safely for tests
+ *
+ * @param size the size of memory to allocate
+ *
+ * @returns a pointer to the allocated memory, or NULL if allocation fails
+ */
+
+static void* TEST_malloc(size_t size)
+{
+    if (size > 0) {
+        void* const mem = malloc(size);
+        TEST_ASSERT(mem);
+        return mem;
+    }
+    return NULL;
+}
+
+
 /**
 * @brief performs chunk compression and checks if a decompression is possible
 *

--- a/test/test_common/meson.build
+++ b/test/test_common/meson.build
 pcg_proj = subproject('pcg-c-basic')
 pcb_dep = pcg_proj.get_variable('libpcg_basic_dep')

+chunk_round_trip = files('chunk_round_trip.c')
 test_common_lib = static_library(
   'test_common',
   'test_common.c',
-   'chunk_round_trip.c',
+   chunk_round_trip,
   dependencies: [pcb_dep, unity_dep]
 )
--- a/test/test_common/test_common.c
+++ b/test/test_common/test_common.c
@@ -50,22 +50,3 @@ uint32_t cmp_rand_nbits(unsigned int n_bits)

 	return cmp_rand32() >> (32 - n_bits);
 }
-
-
-/**
- * @brief allocates memory safely for tests
- *
- * @param size The size of memory to allocate.
- *
- * @returns a pointer to the allocated memory, or NULL if allocation fails
- */
-
-void* TEST_malloc(size_t size)
-{
-    if (size > 0) {
-        void* const mem = malloc(size);
-        TEST_ASSERT(mem);
-        return mem;
-    }
-    return NULL;
-}
--- a/test/test_common/test_common.h
+++ b/test/test_common/test_common.h
@@ -12,6 +12,4 @@ uint32_t cmp_rand_between(uint32_t min, uint32_t max);

 uint32_t cmp_rand_nbits(unsigned int n_bits);

-void* TEST_malloc(size_t size);
-
 #endif /* TEST_COMMON_H */