minetest/irrlicht
1
0
Fork 0
mirror of https://github.com/minetest/irrlicht.git synced 2025-07-02 00:00:26 +02:00
Code Issues Projects Releases Wiki Activity

Shamelessly copy Josiah

Browse Source
This commit is contained in:
jordan4ibanez
2023-11-26 01:34:57 -05:00
parent 650ccf9844
commit d5360a20a6
1080 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
source/lib/json/tests/thirdparty/Fuzzer/test/AFLDriverTest.cpp vendored Normal file
View File

@ -0,0 +1,22 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Contains dummy functions used to avoid dependency on AFL.
#include <stdint.h>
#include <stdlib.h>
extern "C" void __afl_manual_init() {}
extern "C" int __afl_persistent_loop(unsigned int) {
return 0;
}
// This declaration exists to prevent the Darwin linker
// from complaining about this being a missing weak symbol.
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
return 0;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
return 0;
}

23
source/lib/json/tests/thirdparty/Fuzzer/test/AbsNegAndConstant64Test.cpp vendored Normal file
View File

@ -0,0 +1,23 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// abs(x) < 0 and y == Const puzzle, 64-bit variant.
#include <cstring>
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <cstdio>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 16) return 0;
int64_t x;
uint64_t y;
memcpy(&x, Data, sizeof(x));
memcpy(&y, Data + sizeof(x), sizeof(y));
if (labs(x) < 0 && y == 0xbaddcafedeadbeefUL) {
printf("BINGO; Found the target, exiting; x = 0x%lx y 0x%lx\n", x, y);
exit(1);
}
return 0;
}

23
source/lib/json/tests/thirdparty/Fuzzer/test/AbsNegAndConstantTest.cpp vendored Normal file
View File

@ -0,0 +1,23 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// abs(x) < 0 and y == Const puzzle.
#include <cstring>
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <cstdio>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 8) return 0;
int x;
unsigned y;
memcpy(&x, Data, sizeof(x));
memcpy(&y, Data + sizeof(x), sizeof(y));
if (abs(x) < 0 && y == 0xbaddcafe) {
printf("BINGO; Found the target, exiting; x = 0x%x y 0x%x\n", x, y);
exit(1);
}
return 0;
}

17
source/lib/json/tests/thirdparty/Fuzzer/test/AccumulateAllocationsTest.cpp vendored Normal file
View File

@ -0,0 +1,17 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Test with a more mallocs than frees, but no leak.
#include <cstdint>
#include <cstddef>
const int kAllocatedPointersSize = 10000;
int NumAllocatedPointers = 0;
int *AllocatedPointers[kAllocatedPointersSize];
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (NumAllocatedPointers < kAllocatedPointersSize)
AllocatedPointers[NumAllocatedPointers++] = new int;
return 0;
}

23
source/lib/json/tests/thirdparty/Fuzzer/test/BufferOverflowOnInput.cpp vendored Normal file
View File

@ -0,0 +1,23 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find the string "Hi!".
#include <assert.h>
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <iostream>
static volatile bool SeedLargeBuffer;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
assert(Data);
if (Size >= 4)
SeedLargeBuffer = true;
if (Size == 3 && SeedLargeBuffer && Data[3]) {
std::cout << "Woops, reading Data[3] w/o crashing\n";
exit(1);
}
return 0;
}

217
source/lib/json/tests/thirdparty/Fuzzer/test/CMakeLists.txt vendored Normal file
View File

@ -0,0 +1,217 @@
# Build all these tests with -O0, otherwise optimizations may merge some
# basic blocks and we'll fail to discover the targets.
# We change the flags for every build type because we might be doing
# a multi-configuration build (e.g. Xcode) where CMAKE_BUILD_TYPE doesn't
# mean anything.
set(variables_to_filter
CMAKE_CXX_FLAGS_RELEASE
CMAKE_CXX_FLAGS_DEBUG
CMAKE_CXX_FLAGS_RELWITHDEBINFO
CMAKE_CXX_FLAGS_MINSIZEREL
LIBFUZZER_FLAGS_BASE
)
foreach (VARNAME ${variables_to_filter})
string(REPLACE " " ";" BUILD_FLAGS_AS_LIST "${${VARNAME}}")
set(new_flags "")
foreach (flag ${BUILD_FLAGS_AS_LIST})
# NOTE: Use of XX here is to avoid a CMake warning due to CMP0054
if (NOT ("XX${flag}" MATCHES "XX-O[0123s]"))
set(new_flags "${new_flags} ${flag}")
else()
set(new_flags "${new_flags} -O0")
endif()
endforeach()
set(${VARNAME} "${new_flags}")
endforeach()
# Enable the coverage instrumentation (it is disabled for the Fuzzer lib).
set(CMAKE_CXX_FLAGS "${LIBFUZZER_FLAGS_BASE} -fsanitize-coverage=trace-pc-guard,indirect-calls,trace-cmp,trace-div,trace-gep -g")
# add_libfuzzer_test(<name>
# SOURCES source0.cpp [source1.cpp ...]
# )
#
# Declares a LibFuzzer test executable with target name LLVMFuzzer-<name>.
#
# One or more source files to be compiled into the binary must be declared
# after the SOURCES keyword.
function(add_libfuzzer_test name)
set(multi_arg_options "SOURCES")
cmake_parse_arguments(
"add_libfuzzer_test" "" "" "${multi_arg_options}" ${ARGN})
if ("${add_libfuzzer_test_SOURCES}" STREQUAL "")
message(FATAL_ERROR "Source files must be specified")
endif()
add_executable(LLVMFuzzer-${name}
${add_libfuzzer_test_SOURCES}
)
target_link_libraries(LLVMFuzzer-${name} LLVMFuzzer)
# Place binary where llvm-lit expects to find it
set_target_properties(LLVMFuzzer-${name}
PROPERTIES RUNTIME_OUTPUT_DIRECTORY
"${CMAKE_BINARY_DIR}/lib/Fuzzer/test"
)
set(TestBinaries ${TestBinaries} LLVMFuzzer-${name} PARENT_SCOPE)
endfunction()
# Variable to keep track of all test targets
set(TestBinaries)
###############################################################################
# Basic tests
###############################################################################
set(Tests
AbsNegAndConstantTest
AbsNegAndConstant64Test
AccumulateAllocationsTest
BufferOverflowOnInput
CallerCalleeTest
CounterTest
CustomCrossOverTest
CustomMutatorTest
DivTest
EmptyTest
FourIndependentBranchesTest
FullCoverageSetTest
InitializeTest
MemcmpTest
LeakTest
LeakTimeoutTest
LoadTest
NullDerefTest
NullDerefOnEmptyTest
NthRunCrashTest
OneHugeAllocTest
OutOfMemoryTest
OutOfMemorySingleLargeMallocTest
RepeatedMemcmp
RepeatedBytesTest
SimpleCmpTest
SimpleDictionaryTest
SimpleHashTest
SimpleTest
SimpleThreadedTest
SingleMemcmpTest
SingleStrcmpTest
SingleStrncmpTest
SpamyTest
ShrinkControlFlowTest
ShrinkValueProfileTest
StrcmpTest
StrncmpOOBTest
StrncmpTest
StrstrTest
SwapCmpTest
SwitchTest
Switch2Test
ThreadedLeakTest
ThreadedTest
TimeoutTest
TimeoutEmptyTest
TraceMallocTest
)
if(APPLE)
# LeakSanitizer is not supported on OSX right now
set(HAS_LSAN 0)
message(WARNING "LeakSanitizer is not supported on Apple platforms."
" Building and running LibFuzzer LeakSanitizer tests is disabled."
)
else()
set(HAS_LSAN 1)
endif()
foreach(Test ${Tests})
add_libfuzzer_test(${Test} SOURCES ${Test}.cpp)
endforeach()
###############################################################################
# Unit tests
###############################################################################
add_executable(LLVMFuzzer-Unittest
FuzzerUnittest.cpp
)
add_executable(LLVMFuzzer-StandaloneInitializeTest
InitializeTest.cpp
../standalone/StandaloneFuzzTargetMain.c
)
target_link_libraries(LLVMFuzzer-Unittest
gtest
gtest_main
LLVMFuzzerNoMain
)
target_include_directories(LLVMFuzzer-Unittest PRIVATE
"${LLVM_MAIN_SRC_DIR}/utils/unittest/googletest/include"
)
set(TestBinaries ${TestBinaries} LLVMFuzzer-Unittest)
set_target_properties(LLVMFuzzer-Unittest
PROPERTIES RUNTIME_OUTPUT_DIRECTORY
"${CMAKE_CURRENT_BINARY_DIR}"
)
set(TestBinaries ${TestBinaries} LLVMFuzzer-StandaloneInitializeTest)
set_target_properties(LLVMFuzzer-StandaloneInitializeTest
PROPERTIES RUNTIME_OUTPUT_DIRECTORY
"${CMAKE_CURRENT_BINARY_DIR}"
)
###############################################################################
# Additional tests
###############################################################################
include_directories(..)
# add_subdirectory(uninstrumented)
add_subdirectory(no-coverage)
add_subdirectory(ubsan)
add_library(LLVMFuzzer-DSO1 SHARED DSO1.cpp)
add_library(LLVMFuzzer-DSO2 SHARED DSO2.cpp)
add_executable(LLVMFuzzer-DSOTest
DSOTestMain.cpp
DSOTestExtra.cpp)
target_link_libraries(LLVMFuzzer-DSOTest
LLVMFuzzer-DSO1
LLVMFuzzer-DSO2
LLVMFuzzer
)
set_target_properties(LLVMFuzzer-DSOTest PROPERTIES RUNTIME_OUTPUT_DIRECTORY
"${CMAKE_BINARY_DIR}/lib/Fuzzer/test")
set_target_properties(LLVMFuzzer-DSO1 PROPERTIES LIBRARY_OUTPUT_DIRECTORY
"${CMAKE_BINARY_DIR}/lib/Fuzzer/lib")
set_target_properties(LLVMFuzzer-DSO2 PROPERTIES LIBRARY_OUTPUT_DIRECTORY
"${CMAKE_BINARY_DIR}/lib/Fuzzer/lib")
set(TestBinaries ${TestBinaries} LLVMFuzzer-DSOTest)
###############################################################################
# Configure lit to run the tests
#
# Note this is done after declaring all tests so we can inform lit if any tests
# need to be disabled.
###############################################################################
configure_lit_site_cfg(
${CMAKE_CURRENT_SOURCE_DIR}/lit.site.cfg.in
${CMAKE_CURRENT_BINARY_DIR}/lit.site.cfg
)
configure_lit_site_cfg(
${CMAKE_CURRENT_SOURCE_DIR}/unit/lit.site.cfg.in
${CMAKE_CURRENT_BINARY_DIR}/unit/lit.site.cfg
)
add_lit_testsuite(check-fuzzer "Running Fuzzer tests"
${CMAKE_CURRENT_BINARY_DIR}
DEPENDS ${TestBinaries} FileCheck not
)

59
source/lib/json/tests/thirdparty/Fuzzer/test/CallerCalleeTest.cpp vendored Normal file
View File

@ -0,0 +1,59 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer.
// Try to find the target using the indirect caller-callee pairs.
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <cstring>
#include <iostream>
typedef void (*F)();
static F t[256];
void f34() {
std::cerr << "BINGO\n";
exit(1);
}
void f23() { t[(unsigned)'d'] = f34;}
void f12() { t[(unsigned)'c'] = f23;}
void f01() { t[(unsigned)'b'] = f12;}
void f00() {}
static F t0[256] = {
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00, f00,
};
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 4) return 0;
// Spoof the counters.
for (int i = 0; i < 200; i++) {
f23();
f12();
f01();
}
memcpy(t, t0, sizeof(t));
t[(unsigned)'a'] = f01;
t[Data[0]]();
t[Data[1]]();
t[Data[2]]();
t[Data[3]]();
return 0;
}

18
source/lib/json/tests/thirdparty/Fuzzer/test/CounterTest.cpp vendored Normal file
View File

@ -0,0 +1,18 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Test for a fuzzer: must find the case where a particular basic block is
// executed many times.
#include <iostream>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
int Num = 0;
for (size_t i = 0; i < Size; i++)
if (Data[i] == 'A' + i)
Num++;
if (Num >= 4) {
std::cerr << "BINGO!\n";
exit(1);
}
return 0;
}

63
source/lib/json/tests/thirdparty/Fuzzer/test/CustomCrossOverTest.cpp vendored Normal file
View File

@ -0,0 +1,63 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a cutom mutator.
#include <assert.h>
#include <cstddef>
#include <cstdint>
#include <cstdlib>
#include <iostream>
#include <random>
#include <string.h>
#include "FuzzerInterface.h"
static const char *Separator = "-_^_-";
static const char *Target = "012-_^_-abc";
static volatile int sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
assert(Data);
std::string Str(reinterpret_cast<const char *>(Data), Size);
// Ensure that two different elements exist in the corpus.
if (Size && Data[0] == '0') sink++;
if (Size && Data[0] == 'a') sink--;
if (Str.find(Target) != std::string::npos) {
std::cout << "BINGO; Found the target, exiting\n";
exit(1);
}
return 0;
}
extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1,
const uint8_t *Data2, size_t Size2,
uint8_t *Out, size_t MaxOutSize,
unsigned int Seed) {
static bool Printed;
static size_t SeparatorLen = strlen(Separator);
if (!Printed) {
std::cerr << "In LLVMFuzzerCustomCrossover\n";
Printed = true;
}
std::mt19937 R(Seed);
size_t Offset1 = 0;
size_t Len1 = R() % (Size1 - Offset1);
size_t Offset2 = 0;
size_t Len2 = R() % (Size2 - Offset2);
size_t Size = Len1 + Len2 + SeparatorLen;
if (Size > MaxOutSize)
return 0;
memcpy(Out, Data1 + Offset1, Len1);
memcpy(Out + Len1, Separator, SeparatorLen);
memcpy(Out + Len1 + SeparatorLen, Data2 + Offset2, Len2);
return Len1 + Len2 + SeparatorLen;
}

38
source/lib/json/tests/thirdparty/Fuzzer/test/CustomMutatorTest.cpp vendored Normal file
View File

@ -0,0 +1,38 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a cutom mutator.
#include <assert.h>
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <iostream>
#include "FuzzerInterface.h"
static volatile int Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
assert(Data);
if (Size > 0 && Data[0] == 'H') {
Sink = 1;
if (Size > 1 && Data[1] == 'i') {
Sink = 2;
if (Size > 2 && Data[2] == '!') {
std::cout << "BINGO; Found the target, exiting\n";
exit(1);
}
}
}
return 0;
}
extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
size_t MaxSize, unsigned int Seed) {
static bool Printed;
if (!Printed) {
std::cerr << "In LLVMFuzzerCustomMutator\n";
Printed = true;
}
return LLVMFuzzerMutate(Data, Size, MaxSize);
}

12
source/lib/json/tests/thirdparty/Fuzzer/test/DSO1.cpp vendored Normal file
View File

@ -0,0 +1,12 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Source code for a simple DSO.
int DSO1(int a) {
if (a < 123456)
return 0;
return 1;
}
void Uncovered1() { }

12
source/lib/json/tests/thirdparty/Fuzzer/test/DSO2.cpp vendored Normal file
View File

@ -0,0 +1,12 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Source code for a simple DSO.
int DSO2(int a) {
if (a < 3598235)
return 0;
return 1;
}
void Uncovered2() {}

11
source/lib/json/tests/thirdparty/Fuzzer/test/DSOTestExtra.cpp vendored Normal file
View File

@ -0,0 +1,11 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Source code for a simple DSO.
int DSOTestExtra(int a) {
if (a < 452345)
return 0;
return 1;
}

31
source/lib/json/tests/thirdparty/Fuzzer/test/DSOTestMain.cpp vendored Normal file
View File

@ -0,0 +1,31 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Source code for a simple DSO.
#include <cstdint>
#include <cstdlib>
#include <cstring>
#include <cstdio>
extern int DSO1(int a);
extern int DSO2(int a);
extern int DSOTestExtra(int a);
static volatile int *nil = 0;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
int x, y, z;
if (Size < sizeof(int) * 3) {
x = y = z = 0;
} else {
memcpy(&x, Data + 0 * sizeof(int), sizeof(int));
memcpy(&y, Data + 1 * sizeof(int), sizeof(int));
memcpy(&z, Data + 2 * sizeof(int), sizeof(int));
}
int sum = DSO1(x) + DSO2(y) + (z ? DSOTestExtra(z) : 0);
if (sum == 3) {
fprintf(stderr, "BINGO %d %d %d\n", x, y, z);
*nil = 0;
}
return 0;
}

20
source/lib/json/tests/thirdparty/Fuzzer/test/DivTest.cpp vendored Normal file
View File

@ -0,0 +1,20 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer: find the interesting argument for div.
#include <assert.h>
#include <cstdint>
#include <cstring>
#include <cstddef>
#include <iostream>
static volatile int Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 4) return 0;
int a;
memcpy(&a, Data, 4);
Sink = 12345678 / (987654 - a);
return 0;
}

11
source/lib/json/tests/thirdparty/Fuzzer/test/EmptyTest.cpp vendored Normal file
View File

@ -0,0 +1,11 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
// A fuzzer with empty target function.
#include <cstdint>
#include <cstdlib>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
return 0;
}

22
source/lib/json/tests/thirdparty/Fuzzer/test/FourIndependentBranchesTest.cpp vendored Normal file
View File

@ -0,0 +1,22 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find the string "FUZZ".
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <iostream>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
int bits = 0;
if (Size > 0 && Data[0] == 'F') bits |= 1;
if (Size > 1 && Data[1] == 'U') bits |= 2;
if (Size > 2 && Data[2] == 'Z') bits |= 4;
if (Size > 3 && Data[3] == 'Z') bits |= 8;
if (bits == 15) {
std::cerr << "BINGO!\n";
exit(1);
}
return 0;
}

24
source/lib/json/tests/thirdparty/Fuzzer/test/FullCoverageSetTest.cpp vendored Normal file
View File

@ -0,0 +1,24 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find the string "FUZZER".
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <iostream>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
int bits = 0;
if (Size > 0 && Data[0] == 'F') bits |= 1;
if (Size > 1 && Data[1] == 'U') bits |= 2;
if (Size > 2 && Data[2] == 'Z') bits |= 4;
if (Size > 3 && Data[3] == 'Z') bits |= 8;
if (Size > 4 && Data[4] == 'E') bits |= 16;
if (Size > 5 && Data[5] == 'R') bits |= 32;
if (bits == 63) {
std::cerr << "BINGO!\n";
exit(1);
}
return 0;
}

738
source/lib/json/tests/thirdparty/Fuzzer/test/FuzzerUnittest.cpp vendored Normal file
View File

@ -0,0 +1,738 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Avoid ODR violations (LibFuzzer is built without ASan and this test is built
// with ASan) involving C++ standard library types when using libcxx.
#define _LIBCPP_HAS_NO_ASAN
#include "FuzzerCorpus.h"
#include "FuzzerInternal.h"
#include "FuzzerDictionary.h"
#include "FuzzerMerge.h"
#include "FuzzerMutate.h"
#include "FuzzerRandom.h"
#include "gtest/gtest.h"
#include <memory>
#include <set>
using namespace fuzzer;
// For now, have LLVMFuzzerTestOneInput just to make it link.
// Later we may want to make unittests that actually call LLVMFuzzerTestOneInput.
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
abort();
}
TEST(Fuzzer, CrossOver) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
Random Rand(0);
MutationDispatcher MD(Rand, {});
Unit A({0, 1, 2}), B({5, 6, 7});
Unit C;
Unit Expected[] = {
{ 0 },
{ 0, 1 },
{ 0, 5 },
{ 0, 1, 2 },
{ 0, 1, 5 },
{ 0, 5, 1 },
{ 0, 5, 6 },
{ 0, 1, 2, 5 },
{ 0, 1, 5, 2 },
{ 0, 1, 5, 6 },
{ 0, 5, 1, 2 },
{ 0, 5, 1, 6 },
{ 0, 5, 6, 1 },
{ 0, 5, 6, 7 },
{ 0, 1, 2, 5, 6 },
{ 0, 1, 5, 2, 6 },
{ 0, 1, 5, 6, 2 },
{ 0, 1, 5, 6, 7 },
{ 0, 5, 1, 2, 6 },
{ 0, 5, 1, 6, 2 },
{ 0, 5, 1, 6, 7 },
{ 0, 5, 6, 1, 2 },
{ 0, 5, 6, 1, 7 },
{ 0, 5, 6, 7, 1 },
{ 0, 1, 2, 5, 6, 7 },
{ 0, 1, 5, 2, 6, 7 },
{ 0, 1, 5, 6, 2, 7 },
{ 0, 1, 5, 6, 7, 2 },
{ 0, 5, 1, 2, 6, 7 },
{ 0, 5, 1, 6, 2, 7 },
{ 0, 5, 1, 6, 7, 2 },
{ 0, 5, 6, 1, 2, 7 },
{ 0, 5, 6, 1, 7, 2 },
{ 0, 5, 6, 7, 1, 2 }
};
for (size_t Len = 1; Len < 8; Len++) {
std::set<Unit> FoundUnits, ExpectedUnitsWitThisLength;
for (int Iter = 0; Iter < 3000; Iter++) {
C.resize(Len);
size_t NewSize = MD.CrossOver(A.data(), A.size(), B.data(), B.size(),
C.data(), C.size());
C.resize(NewSize);
FoundUnits.insert(C);
}
for (const Unit &U : Expected)
if (U.size() <= Len)
ExpectedUnitsWitThisLength.insert(U);
EXPECT_EQ(ExpectedUnitsWitThisLength, FoundUnits);
}
}
TEST(Fuzzer, Hash) {
uint8_t A[] = {'a', 'b', 'c'};
fuzzer::Unit U(A, A + sizeof(A));
EXPECT_EQ("a9993e364706816aba3e25717850c26c9cd0d89d", fuzzer::Hash(U));
U.push_back('d');
EXPECT_EQ("81fe8bfe87576c3ecb22426f8e57847382917acf", fuzzer::Hash(U));
}
typedef size_t (MutationDispatcher::*Mutator)(uint8_t *Data, size_t Size,
size_t MaxSize);
void TestEraseBytes(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
uint8_t REM0[8] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t REM1[8] = {0x00, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t REM2[8] = {0x00, 0x11, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t REM3[8] = {0x00, 0x11, 0x22, 0x44, 0x55, 0x66, 0x77};
uint8_t REM4[8] = {0x00, 0x11, 0x22, 0x33, 0x55, 0x66, 0x77};
uint8_t REM5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x66, 0x77};
uint8_t REM6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x77};
uint8_t REM7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
uint8_t REM8[6] = {0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t REM9[6] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55};
uint8_t REM10[6] = {0x00, 0x11, 0x22, 0x55, 0x66, 0x77};
uint8_t REM11[5] = {0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t REM12[5] = {0x00, 0x11, 0x22, 0x33, 0x44};
uint8_t REM13[5] = {0x00, 0x44, 0x55, 0x66, 0x77};
Random Rand(0);
MutationDispatcher MD(Rand, {});
int FoundMask = 0;
for (int i = 0; i < NumIter; i++) {
uint8_t T[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
size_t NewSize = (MD.*M)(T, sizeof(T), sizeof(T));
if (NewSize == 7 && !memcmp(REM0, T, 7)) FoundMask |= 1 << 0;
if (NewSize == 7 && !memcmp(REM1, T, 7)) FoundMask |= 1 << 1;
if (NewSize == 7 && !memcmp(REM2, T, 7)) FoundMask |= 1 << 2;
if (NewSize == 7 && !memcmp(REM3, T, 7)) FoundMask |= 1 << 3;
if (NewSize == 7 && !memcmp(REM4, T, 7)) FoundMask |= 1 << 4;
if (NewSize == 7 && !memcmp(REM5, T, 7)) FoundMask |= 1 << 5;
if (NewSize == 7 && !memcmp(REM6, T, 7)) FoundMask |= 1 << 6;
if (NewSize == 7 && !memcmp(REM7, T, 7)) FoundMask |= 1 << 7;
if (NewSize == 6 && !memcmp(REM8, T, 6)) FoundMask |= 1 << 8;
if (NewSize == 6 && !memcmp(REM9, T, 6)) FoundMask |= 1 << 9;
if (NewSize == 6 && !memcmp(REM10, T, 6)) FoundMask |= 1 << 10;
if (NewSize == 5 && !memcmp(REM11, T, 5)) FoundMask |= 1 << 11;
if (NewSize == 5 && !memcmp(REM12, T, 5)) FoundMask |= 1 << 12;
if (NewSize == 5 && !memcmp(REM13, T, 5)) FoundMask |= 1 << 13;
}
EXPECT_EQ(FoundMask, (1 << 14) - 1);
}
TEST(FuzzerMutate, EraseBytes1) {
TestEraseBytes(&MutationDispatcher::Mutate_EraseBytes, 200);
}
TEST(FuzzerMutate, EraseBytes2) {
TestEraseBytes(&MutationDispatcher::Mutate, 2000);
}
void TestInsertByte(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
Random Rand(0);
MutationDispatcher MD(Rand, {});
int FoundMask = 0;
uint8_t INS0[8] = {0xF1, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
uint8_t INS1[8] = {0x00, 0xF2, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
uint8_t INS2[8] = {0x00, 0x11, 0xF3, 0x22, 0x33, 0x44, 0x55, 0x66};
uint8_t INS3[8] = {0x00, 0x11, 0x22, 0xF4, 0x33, 0x44, 0x55, 0x66};
uint8_t INS4[8] = {0x00, 0x11, 0x22, 0x33, 0xF5, 0x44, 0x55, 0x66};
uint8_t INS5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0xF6, 0x55, 0x66};
uint8_t INS6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0xF7, 0x66};
uint8_t INS7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF8};
for (int i = 0; i < NumIter; i++) {
uint8_t T[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
size_t NewSize = (MD.*M)(T, 7, 8);
if (NewSize == 8 && !memcmp(INS0, T, 8)) FoundMask |= 1 << 0;
if (NewSize == 8 && !memcmp(INS1, T, 8)) FoundMask |= 1 << 1;
if (NewSize == 8 && !memcmp(INS2, T, 8)) FoundMask |= 1 << 2;
if (NewSize == 8 && !memcmp(INS3, T, 8)) FoundMask |= 1 << 3;
if (NewSize == 8 && !memcmp(INS4, T, 8)) FoundMask |= 1 << 4;
if (NewSize == 8 && !memcmp(INS5, T, 8)) FoundMask |= 1 << 5;
if (NewSize == 8 && !memcmp(INS6, T, 8)) FoundMask |= 1 << 6;
if (NewSize == 8 && !memcmp(INS7, T, 8)) FoundMask |= 1 << 7;
}
EXPECT_EQ(FoundMask, 255);
}
TEST(FuzzerMutate, InsertByte1) {
TestInsertByte(&MutationDispatcher::Mutate_InsertByte, 1 << 15);
}
TEST(FuzzerMutate, InsertByte2) {
TestInsertByte(&MutationDispatcher::Mutate, 1 << 17);
}
void TestInsertRepeatedBytes(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
Random Rand(0);
MutationDispatcher MD(Rand, {});
int FoundMask = 0;
uint8_t INS0[7] = {0x00, 0x11, 0x22, 0x33, 'a', 'a', 'a'};
uint8_t INS1[7] = {0x00, 0x11, 0x22, 'a', 'a', 'a', 0x33};
uint8_t INS2[7] = {0x00, 0x11, 'a', 'a', 'a', 0x22, 0x33};
uint8_t INS3[7] = {0x00, 'a', 'a', 'a', 0x11, 0x22, 0x33};
uint8_t INS4[7] = {'a', 'a', 'a', 0x00, 0x11, 0x22, 0x33};
uint8_t INS5[8] = {0x00, 0x11, 0x22, 0x33, 'b', 'b', 'b', 'b'};
uint8_t INS6[8] = {0x00, 0x11, 0x22, 'b', 'b', 'b', 'b', 0x33};
uint8_t INS7[8] = {0x00, 0x11, 'b', 'b', 'b', 'b', 0x22, 0x33};
uint8_t INS8[8] = {0x00, 'b', 'b', 'b', 'b', 0x11, 0x22, 0x33};
uint8_t INS9[8] = {'b', 'b', 'b', 'b', 0x00, 0x11, 0x22, 0x33};
for (int i = 0; i < NumIter; i++) {
uint8_t T[8] = {0x00, 0x11, 0x22, 0x33};
size_t NewSize = (MD.*M)(T, 4, 8);
if (NewSize == 7 && !memcmp(INS0, T, 7)) FoundMask |= 1 << 0;
if (NewSize == 7 && !memcmp(INS1, T, 7)) FoundMask |= 1 << 1;
if (NewSize == 7 && !memcmp(INS2, T, 7)) FoundMask |= 1 << 2;
if (NewSize == 7 && !memcmp(INS3, T, 7)) FoundMask |= 1 << 3;
if (NewSize == 7 && !memcmp(INS4, T, 7)) FoundMask |= 1 << 4;
if (NewSize == 8 && !memcmp(INS5, T, 8)) FoundMask |= 1 << 5;
if (NewSize == 8 && !memcmp(INS6, T, 8)) FoundMask |= 1 << 6;
if (NewSize == 8 && !memcmp(INS7, T, 8)) FoundMask |= 1 << 7;
if (NewSize == 8 && !memcmp(INS8, T, 8)) FoundMask |= 1 << 8;
if (NewSize == 8 && !memcmp(INS9, T, 8)) FoundMask |= 1 << 9;
}
EXPECT_EQ(FoundMask, (1 << 10) - 1);
}
TEST(FuzzerMutate, InsertRepeatedBytes1) {
TestInsertRepeatedBytes(&MutationDispatcher::Mutate_InsertRepeatedBytes, 10000);
}
TEST(FuzzerMutate, InsertRepeatedBytes2) {
TestInsertRepeatedBytes(&MutationDispatcher::Mutate, 300000);
}
void TestChangeByte(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
Random Rand(0);
MutationDispatcher MD(Rand, {});
int FoundMask = 0;
uint8_t CH0[8] = {0xF0, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t CH1[8] = {0x00, 0xF1, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t CH2[8] = {0x00, 0x11, 0xF2, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t CH3[8] = {0x00, 0x11, 0x22, 0xF3, 0x44, 0x55, 0x66, 0x77};
uint8_t CH4[8] = {0x00, 0x11, 0x22, 0x33, 0xF4, 0x55, 0x66, 0x77};
uint8_t CH5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0xF5, 0x66, 0x77};
uint8_t CH6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0xF5, 0x77};
uint8_t CH7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF7};
for (int i = 0; i < NumIter; i++) {
uint8_t T[9] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
size_t NewSize = (MD.*M)(T, 8, 9);
if (NewSize == 8 && !memcmp(CH0, T, 8)) FoundMask |= 1 << 0;
if (NewSize == 8 && !memcmp(CH1, T, 8)) FoundMask |= 1 << 1;
if (NewSize == 8 && !memcmp(CH2, T, 8)) FoundMask |= 1 << 2;
if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3;
if (NewSize == 8 && !memcmp(CH4, T, 8)) FoundMask |= 1 << 4;
if (NewSize == 8 && !memcmp(CH5, T, 8)) FoundMask |= 1 << 5;
if (NewSize == 8 && !memcmp(CH6, T, 8)) FoundMask |= 1 << 6;
if (NewSize == 8 && !memcmp(CH7, T, 8)) FoundMask |= 1 << 7;
}
EXPECT_EQ(FoundMask, 255);
}
TEST(FuzzerMutate, ChangeByte1) {
TestChangeByte(&MutationDispatcher::Mutate_ChangeByte, 1 << 15);
}
TEST(FuzzerMutate, ChangeByte2) {
TestChangeByte(&MutationDispatcher::Mutate, 1 << 17);
}
void TestChangeBit(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
Random Rand(0);
MutationDispatcher MD(Rand, {});
int FoundMask = 0;
uint8_t CH0[8] = {0x01, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t CH1[8] = {0x00, 0x13, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t CH2[8] = {0x00, 0x11, 0x02, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t CH3[8] = {0x00, 0x11, 0x22, 0x37, 0x44, 0x55, 0x66, 0x77};
uint8_t CH4[8] = {0x00, 0x11, 0x22, 0x33, 0x54, 0x55, 0x66, 0x77};
uint8_t CH5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x54, 0x66, 0x77};
uint8_t CH6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x76, 0x77};
uint8_t CH7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF7};
for (int i = 0; i < NumIter; i++) {
uint8_t T[9] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
size_t NewSize = (MD.*M)(T, 8, 9);
if (NewSize == 8 && !memcmp(CH0, T, 8)) FoundMask |= 1 << 0;
if (NewSize == 8 && !memcmp(CH1, T, 8)) FoundMask |= 1 << 1;
if (NewSize == 8 && !memcmp(CH2, T, 8)) FoundMask |= 1 << 2;
if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3;
if (NewSize == 8 && !memcmp(CH4, T, 8)) FoundMask |= 1 << 4;
if (NewSize == 8 && !memcmp(CH5, T, 8)) FoundMask |= 1 << 5;
if (NewSize == 8 && !memcmp(CH6, T, 8)) FoundMask |= 1 << 6;
if (NewSize == 8 && !memcmp(CH7, T, 8)) FoundMask |= 1 << 7;
}
EXPECT_EQ(FoundMask, 255);
}
TEST(FuzzerMutate, ChangeBit1) {
TestChangeBit(&MutationDispatcher::Mutate_ChangeBit, 1 << 16);
}
TEST(FuzzerMutate, ChangeBit2) {
TestChangeBit(&MutationDispatcher::Mutate, 1 << 18);
}
void TestShuffleBytes(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
Random Rand(0);
MutationDispatcher MD(Rand, {});
int FoundMask = 0;
uint8_t CH0[7] = {0x00, 0x22, 0x11, 0x33, 0x44, 0x55, 0x66};
uint8_t CH1[7] = {0x11, 0x00, 0x33, 0x22, 0x44, 0x55, 0x66};
uint8_t CH2[7] = {0x00, 0x33, 0x11, 0x22, 0x44, 0x55, 0x66};
uint8_t CH3[7] = {0x00, 0x11, 0x22, 0x44, 0x55, 0x66, 0x33};
uint8_t CH4[7] = {0x00, 0x11, 0x22, 0x33, 0x55, 0x44, 0x66};
for (int i = 0; i < NumIter; i++) {
uint8_t T[7] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
size_t NewSize = (MD.*M)(T, 7, 7);
if (NewSize == 7 && !memcmp(CH0, T, 7)) FoundMask |= 1 << 0;
if (NewSize == 7 && !memcmp(CH1, T, 7)) FoundMask |= 1 << 1;
if (NewSize == 7 && !memcmp(CH2, T, 7)) FoundMask |= 1 << 2;
if (NewSize == 7 && !memcmp(CH3, T, 7)) FoundMask |= 1 << 3;
if (NewSize == 7 && !memcmp(CH4, T, 7)) FoundMask |= 1 << 4;
}
EXPECT_EQ(FoundMask, 31);
}
TEST(FuzzerMutate, ShuffleBytes1) {
TestShuffleBytes(&MutationDispatcher::Mutate_ShuffleBytes, 1 << 16);
}
TEST(FuzzerMutate, ShuffleBytes2) {
TestShuffleBytes(&MutationDispatcher::Mutate, 1 << 20);
}
void TestCopyPart(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
Random Rand(0);
MutationDispatcher MD(Rand, {});
int FoundMask = 0;
uint8_t CH0[7] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x00, 0x11};
uint8_t CH1[7] = {0x55, 0x66, 0x22, 0x33, 0x44, 0x55, 0x66};
uint8_t CH2[7] = {0x00, 0x55, 0x66, 0x33, 0x44, 0x55, 0x66};
uint8_t CH3[7] = {0x00, 0x11, 0x22, 0x00, 0x11, 0x22, 0x66};
uint8_t CH4[7] = {0x00, 0x11, 0x11, 0x22, 0x33, 0x55, 0x66};
for (int i = 0; i < NumIter; i++) {
uint8_t T[7] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
size_t NewSize = (MD.*M)(T, 7, 7);
if (NewSize == 7 && !memcmp(CH0, T, 7)) FoundMask |= 1 << 0;
if (NewSize == 7 && !memcmp(CH1, T, 7)) FoundMask |= 1 << 1;
if (NewSize == 7 && !memcmp(CH2, T, 7)) FoundMask |= 1 << 2;
if (NewSize == 7 && !memcmp(CH3, T, 7)) FoundMask |= 1 << 3;
if (NewSize == 7 && !memcmp(CH4, T, 7)) FoundMask |= 1 << 4;
}
uint8_t CH5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x00, 0x11, 0x22};
uint8_t CH6[8] = {0x22, 0x33, 0x44, 0x00, 0x11, 0x22, 0x33, 0x44};
uint8_t CH7[8] = {0x00, 0x11, 0x22, 0x00, 0x11, 0x22, 0x33, 0x44};
uint8_t CH8[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x22, 0x33, 0x44};
uint8_t CH9[8] = {0x00, 0x11, 0x22, 0x22, 0x33, 0x44, 0x33, 0x44};
for (int i = 0; i < NumIter; i++) {
uint8_t T[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
size_t NewSize = (MD.*M)(T, 5, 8);
if (NewSize == 8 && !memcmp(CH5, T, 8)) FoundMask |= 1 << 5;
if (NewSize == 8 && !memcmp(CH6, T, 8)) FoundMask |= 1 << 6;
if (NewSize == 8 && !memcmp(CH7, T, 8)) FoundMask |= 1 << 7;
if (NewSize == 8 && !memcmp(CH8, T, 8)) FoundMask |= 1 << 8;
if (NewSize == 8 && !memcmp(CH9, T, 8)) FoundMask |= 1 << 9;
}
EXPECT_EQ(FoundMask, 1023);
}
TEST(FuzzerMutate, CopyPart1) {
TestCopyPart(&MutationDispatcher::Mutate_CopyPart, 1 << 10);
}
TEST(FuzzerMutate, CopyPart2) {
TestCopyPart(&MutationDispatcher::Mutate, 1 << 13);
}
void TestAddWordFromDictionary(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
Random Rand(0);
MutationDispatcher MD(Rand, {});
uint8_t Word1[4] = {0xAA, 0xBB, 0xCC, 0xDD};
uint8_t Word2[3] = {0xFF, 0xEE, 0xEF};
MD.AddWordToManualDictionary(Word(Word1, sizeof(Word1)));
MD.AddWordToManualDictionary(Word(Word2, sizeof(Word2)));
int FoundMask = 0;
uint8_t CH0[7] = {0x00, 0x11, 0x22, 0xAA, 0xBB, 0xCC, 0xDD};
uint8_t CH1[7] = {0x00, 0x11, 0xAA, 0xBB, 0xCC, 0xDD, 0x22};
uint8_t CH2[7] = {0x00, 0xAA, 0xBB, 0xCC, 0xDD, 0x11, 0x22};
uint8_t CH3[7] = {0xAA, 0xBB, 0xCC, 0xDD, 0x00, 0x11, 0x22};
uint8_t CH4[6] = {0x00, 0x11, 0x22, 0xFF, 0xEE, 0xEF};
uint8_t CH5[6] = {0x00, 0x11, 0xFF, 0xEE, 0xEF, 0x22};
uint8_t CH6[6] = {0x00, 0xFF, 0xEE, 0xEF, 0x11, 0x22};
uint8_t CH7[6] = {0xFF, 0xEE, 0xEF, 0x00, 0x11, 0x22};
for (int i = 0; i < NumIter; i++) {
uint8_t T[7] = {0x00, 0x11, 0x22};
size_t NewSize = (MD.*M)(T, 3, 7);
if (NewSize == 7 && !memcmp(CH0, T, 7)) FoundMask |= 1 << 0;
if (NewSize == 7 && !memcmp(CH1, T, 7)) FoundMask |= 1 << 1;
if (NewSize == 7 && !memcmp(CH2, T, 7)) FoundMask |= 1 << 2;
if (NewSize == 7 && !memcmp(CH3, T, 7)) FoundMask |= 1 << 3;
if (NewSize == 6 && !memcmp(CH4, T, 6)) FoundMask |= 1 << 4;
if (NewSize == 6 && !memcmp(CH5, T, 6)) FoundMask |= 1 << 5;
if (NewSize == 6 && !memcmp(CH6, T, 6)) FoundMask |= 1 << 6;
if (NewSize == 6 && !memcmp(CH7, T, 6)) FoundMask |= 1 << 7;
}
EXPECT_EQ(FoundMask, 255);
}
TEST(FuzzerMutate, AddWordFromDictionary1) {
TestAddWordFromDictionary(
&MutationDispatcher::Mutate_AddWordFromManualDictionary, 1 << 15);
}
TEST(FuzzerMutate, AddWordFromDictionary2) {
TestAddWordFromDictionary(&MutationDispatcher::Mutate, 1 << 15);
}
void TestAddWordFromDictionaryWithHint(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
Random Rand(0);
MutationDispatcher MD(Rand, {});
uint8_t W[] = {0xAA, 0xBB, 0xCC, 0xDD, 0xFF, 0xEE, 0xEF};
size_t PosHint = 7777;
MD.AddWordToAutoDictionary({Word(W, sizeof(W)), PosHint});
int FoundMask = 0;
for (int i = 0; i < NumIter; i++) {
uint8_t T[10000];
memset(T, 0, sizeof(T));
size_t NewSize = (MD.*M)(T, 9000, 10000);
if (NewSize >= PosHint + sizeof(W) &&
!memcmp(W, T + PosHint, sizeof(W)))
FoundMask = 1;
}
EXPECT_EQ(FoundMask, 1);
}
TEST(FuzzerMutate, AddWordFromDictionaryWithHint1) {
TestAddWordFromDictionaryWithHint(
&MutationDispatcher::Mutate_AddWordFromTemporaryAutoDictionary, 1 << 5);
}
TEST(FuzzerMutate, AddWordFromDictionaryWithHint2) {
TestAddWordFromDictionaryWithHint(&MutationDispatcher::Mutate, 1 << 10);
}
void TestChangeASCIIInteger(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
Random Rand(0);
MutationDispatcher MD(Rand, {});
uint8_t CH0[8] = {'1', '2', '3', '4', '5', '6', '7', '7'};
uint8_t CH1[8] = {'1', '2', '3', '4', '5', '6', '7', '9'};
uint8_t CH2[8] = {'2', '4', '6', '9', '1', '3', '5', '6'};
uint8_t CH3[8] = {'0', '6', '1', '7', '2', '8', '3', '9'};
int FoundMask = 0;
for (int i = 0; i < NumIter; i++) {
uint8_t T[8] = {'1', '2', '3', '4', '5', '6', '7', '8'};
size_t NewSize = (MD.*M)(T, 8, 8);
/**/ if (NewSize == 8 && !memcmp(CH0, T, 8)) FoundMask |= 1 << 0;
else if (NewSize == 8 && !memcmp(CH1, T, 8)) FoundMask |= 1 << 1;
else if (NewSize == 8 && !memcmp(CH2, T, 8)) FoundMask |= 1 << 2;
else if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3;
else if (NewSize == 8) FoundMask |= 1 << 4;
}
EXPECT_EQ(FoundMask, 31);
}
TEST(FuzzerMutate, ChangeASCIIInteger1) {
TestChangeASCIIInteger(&MutationDispatcher::Mutate_ChangeASCIIInteger,
1 << 15);
}
TEST(FuzzerMutate, ChangeASCIIInteger2) {
TestChangeASCIIInteger(&MutationDispatcher::Mutate, 1 << 15);
}
void TestChangeBinaryInteger(Mutator M, int NumIter) {
std::unique_ptr<ExternalFunctions> t(new ExternalFunctions());
fuzzer::EF = t.get();
Random Rand(0);
MutationDispatcher MD(Rand, {});
uint8_t CH0[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x79};
uint8_t CH1[8] = {0x00, 0x11, 0x22, 0x31, 0x44, 0x55, 0x66, 0x77};
uint8_t CH2[8] = {0xff, 0x10, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t CH3[8] = {0x00, 0x11, 0x2a, 0x33, 0x44, 0x55, 0x66, 0x77};
uint8_t CH4[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x4f, 0x66, 0x77};
uint8_t CH5[8] = {0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88};
uint8_t CH6[8] = {0x00, 0x11, 0x22, 0x00, 0x00, 0x00, 0x08, 0x77}; // Size
uint8_t CH7[8] = {0x00, 0x08, 0x00, 0x33, 0x44, 0x55, 0x66, 0x77}; // Sw(Size)
int FoundMask = 0;
for (int i = 0; i < NumIter; i++) {
uint8_t T[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
size_t NewSize = (MD.*M)(T, 8, 8);
/**/ if (NewSize == 8 && !memcmp(CH0, T, 8)) FoundMask |= 1 << 0;
else if (NewSize == 8 && !memcmp(CH1, T, 8)) FoundMask |= 1 << 1;
else if (NewSize == 8 && !memcmp(CH2, T, 8)) FoundMask |= 1 << 2;
else if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3;
else if (NewSize == 8 && !memcmp(CH4, T, 8)) FoundMask |= 1 << 4;
else if (NewSize == 8 && !memcmp(CH5, T, 8)) FoundMask |= 1 << 5;
else if (NewSize == 8 && !memcmp(CH6, T, 8)) FoundMask |= 1 << 6;
else if (NewSize == 8 && !memcmp(CH7, T, 8)) FoundMask |= 1 << 7;
}
EXPECT_EQ(FoundMask, 255);
}
TEST(FuzzerMutate, ChangeBinaryInteger1) {
TestChangeBinaryInteger(&MutationDispatcher::Mutate_ChangeBinaryInteger,
1 << 12);
}
TEST(FuzzerMutate, ChangeBinaryInteger2) {
TestChangeBinaryInteger(&MutationDispatcher::Mutate, 1 << 15);
}
TEST(FuzzerDictionary, ParseOneDictionaryEntry) {
Unit U;
EXPECT_FALSE(ParseOneDictionaryEntry("", &U));
EXPECT_FALSE(ParseOneDictionaryEntry(" ", &U));
EXPECT_FALSE(ParseOneDictionaryEntry("\t ", &U));
EXPECT_FALSE(ParseOneDictionaryEntry(" \" ", &U));
EXPECT_FALSE(ParseOneDictionaryEntry(" zz\" ", &U));
EXPECT_FALSE(ParseOneDictionaryEntry(" \"zz ", &U));
EXPECT_FALSE(ParseOneDictionaryEntry(" \"\" ", &U));
EXPECT_TRUE(ParseOneDictionaryEntry("\"a\"", &U));
EXPECT_EQ(U, Unit({'a'}));
EXPECT_TRUE(ParseOneDictionaryEntry("\"abc\"", &U));
EXPECT_EQ(U, Unit({'a', 'b', 'c'}));
EXPECT_TRUE(ParseOneDictionaryEntry("abc=\"abc\"", &U));
EXPECT_EQ(U, Unit({'a', 'b', 'c'}));
EXPECT_FALSE(ParseOneDictionaryEntry("\"\\\"", &U));
EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\\\"", &U));
EXPECT_EQ(U, Unit({'\\'}));
EXPECT_TRUE(ParseOneDictionaryEntry("\"\\xAB\"", &U));
EXPECT_EQ(U, Unit({0xAB}));
EXPECT_TRUE(ParseOneDictionaryEntry("\"\\xABz\\xDE\"", &U));
EXPECT_EQ(U, Unit({0xAB, 'z', 0xDE}));
EXPECT_TRUE(ParseOneDictionaryEntry("\"#\"", &U));
EXPECT_EQ(U, Unit({'#'}));
EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\"\"", &U));
EXPECT_EQ(U, Unit({'"'}));
}
TEST(FuzzerDictionary, ParseDictionaryFile) {
std::vector<Unit> Units;
EXPECT_FALSE(ParseDictionaryFile("zzz\n", &Units));
EXPECT_FALSE(ParseDictionaryFile("", &Units));
EXPECT_TRUE(ParseDictionaryFile("\n", &Units));
EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile("#zzzz a b c d\n", &Units));
EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units));
EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units));
EXPECT_EQ(Units.size(), 0U);
EXPECT_TRUE(ParseDictionaryFile(" #zzzz\naaa=\"aa\"", &Units));
EXPECT_EQ(Units, std::vector<Unit>({Unit({'a', 'a'})}));
EXPECT_TRUE(
ParseDictionaryFile(" #zzzz\naaa=\"aa\"\n\nabc=\"abc\"", &Units));
EXPECT_EQ(Units,
std::vector<Unit>({Unit({'a', 'a'}), Unit({'a', 'b', 'c'})}));
}
TEST(FuzzerUtil, Base64) {
EXPECT_EQ("", Base64({}));
EXPECT_EQ("YQ==", Base64({'a'}));
EXPECT_EQ("eA==", Base64({'x'}));
EXPECT_EQ("YWI=", Base64({'a', 'b'}));
EXPECT_EQ("eHk=", Base64({'x', 'y'}));
EXPECT_EQ("YWJj", Base64({'a', 'b', 'c'}));
EXPECT_EQ("eHl6", Base64({'x', 'y', 'z'}));
EXPECT_EQ("YWJjeA==", Base64({'a', 'b', 'c', 'x'}));
EXPECT_EQ("YWJjeHk=", Base64({'a', 'b', 'c', 'x', 'y'}));
EXPECT_EQ("YWJjeHl6", Base64({'a', 'b', 'c', 'x', 'y', 'z'}));
}
TEST(Corpus, Distribution) {
Random Rand(0);
InputCorpus C("");
size_t N = 10;
size_t TriesPerUnit = 1<<16;
for (size_t i = 0; i < N; i++)
C.AddToCorpus(Unit{ static_cast<uint8_t>(i) }, 0);
std::vector<size_t> Hist(N);
for (size_t i = 0; i < N * TriesPerUnit; i++) {
Hist[C.ChooseUnitIdxToMutate(Rand)]++;
}
for (size_t i = 0; i < N; i++) {
// A weak sanity check that every unit gets invoked.
EXPECT_GT(Hist[i], TriesPerUnit / N / 3);
}
}
TEST(Merge, Bad) {
const char *kInvalidInputs[] = {
"",
"x",
"3\nx",
"2\n3",
"2\n2",
"2\n2\nA\n",
"2\n2\nA\nB\nC\n",
"0\n0\n",
"1\n1\nA\nDONE 0",
"1\n1\nA\nSTARTED 1",
};
Merger M;
for (auto S : kInvalidInputs) {
// fprintf(stderr, "TESTING:\n%s\n", S);
EXPECT_FALSE(M.Parse(S, false));
}
}
void EQ(const std::vector<uint32_t> &A, const std::vector<uint32_t> &B) {
EXPECT_EQ(A, B);
}
void EQ(const std::vector<std::string> &A, const std::vector<std::string> &B) {
std::set<std::string> a(A.begin(), A.end());
std::set<std::string> b(B.begin(), B.end());
EXPECT_EQ(a, b);
}
static void Merge(const std::string &Input,
const std::vector<std::string> Result,
size_t NumNewFeatures) {
Merger M;
std::vector<std::string> NewFiles;
EXPECT_TRUE(M.Parse(Input, true));
EXPECT_EQ(NumNewFeatures, M.Merge(&NewFiles));
EQ(NewFiles, Result);
}
TEST(Merge, Good) {
Merger M;
EXPECT_TRUE(M.Parse("1\n0\nAA\n", false));
EXPECT_EQ(M.Files.size(), 1U);
EXPECT_EQ(M.NumFilesInFirstCorpus, 0U);
EXPECT_EQ(M.Files[0].Name, "AA");
EXPECT_TRUE(M.LastFailure.empty());
EXPECT_EQ(M.FirstNotProcessedFile, 0U);
EXPECT_TRUE(M.Parse("2\n1\nAA\nBB\nSTARTED 0 42\n", false));
EXPECT_EQ(M.Files.size(), 2U);
EXPECT_EQ(M.NumFilesInFirstCorpus, 1U);
EXPECT_EQ(M.Files[0].Name, "AA");
EXPECT_EQ(M.Files[1].Name, "BB");
EXPECT_EQ(M.LastFailure, "AA");
EXPECT_EQ(M.FirstNotProcessedFile, 1U);
EXPECT_TRUE(M.Parse("3\n1\nAA\nBB\nC\n"
"STARTED 0 1000\n"
"DONE 0 1 2 3\n"
"STARTED 1 1001\n"
"DONE 1 4 5 6 \n"
"STARTED 2 1002\n"
"", true));
EXPECT_EQ(M.Files.size(), 3U);
EXPECT_EQ(M.NumFilesInFirstCorpus, 1U);
EXPECT_EQ(M.Files[0].Name, "AA");
EXPECT_EQ(M.Files[0].Size, 1000U);
EXPECT_EQ(M.Files[1].Name, "BB");
EXPECT_EQ(M.Files[1].Size, 1001U);
EXPECT_EQ(M.Files[2].Name, "C");
EXPECT_EQ(M.Files[2].Size, 1002U);
EXPECT_EQ(M.LastFailure, "C");
EXPECT_EQ(M.FirstNotProcessedFile, 3U);
EQ(M.Files[0].Features, {1, 2, 3});
EQ(M.Files[1].Features, {4, 5, 6});
std::vector<std::string> NewFiles;
EXPECT_TRUE(M.Parse("3\n2\nAA\nBB\nC\n"
"STARTED 0 1000\nDONE 0 1 2 3\n"
"STARTED 1 1001\nDONE 1 4 5 6 \n"
"STARTED 2 1002\nDONE 2 6 1 3 \n"
"", true));
EXPECT_EQ(M.Files.size(), 3U);
EXPECT_EQ(M.NumFilesInFirstCorpus, 2U);
EXPECT_TRUE(M.LastFailure.empty());
EXPECT_EQ(M.FirstNotProcessedFile, 3U);
EQ(M.Files[0].Features, {1, 2, 3});
EQ(M.Files[1].Features, {4, 5, 6});
EQ(M.Files[2].Features, {1, 3, 6});
EXPECT_EQ(0U, M.Merge(&NewFiles));
EQ(NewFiles, {});
EXPECT_TRUE(M.Parse("3\n1\nA\nB\nC\n"
"STARTED 0 1000\nDONE 0 1 2 3\n"
"STARTED 1 1001\nDONE 1 4 5 6 \n"
"STARTED 2 1002\nDONE 2 6 1 3\n"
"", true));
EQ(M.Files[0].Features, {1, 2, 3});
EQ(M.Files[1].Features, {4, 5, 6});
EQ(M.Files[2].Features, {1, 3, 6});
EXPECT_EQ(3U, M.Merge(&NewFiles));
EQ(NewFiles, {"B"});
}
TEST(Merge, Merge) {
Merge("3\n1\nA\nB\nC\n"
"STARTED 0 1000\nDONE 0 1 2 3\n"
"STARTED 1 1001\nDONE 1 4 5 6 \n"
"STARTED 2 1002\nDONE 2 6 1 3 \n",
{"B"}, 3);
Merge("3\n0\nA\nB\nC\n"
"STARTED 0 2000\nDONE 0 1 2 3\n"
"STARTED 1 1001\nDONE 1 4 5 6 \n"
"STARTED 2 1002\nDONE 2 6 1 3 \n",
{"A", "B", "C"}, 6);
Merge("4\n0\nA\nB\nC\nD\n"
"STARTED 0 2000\nDONE 0 1 2 3\n"
"STARTED 1 1101\nDONE 1 4 5 6 \n"
"STARTED 2 1102\nDONE 2 6 1 3 100 \n"
"STARTED 3 1000\nDONE 3 1 \n",
{"A", "B", "C", "D"}, 7);
Merge("4\n1\nA\nB\nC\nD\n"
"STARTED 0 2000\nDONE 0 4 5 6 7 8\n"
"STARTED 1 1100\nDONE 1 1 2 3 \n"
"STARTED 2 1100\nDONE 2 2 3 \n"
"STARTED 3 1000\nDONE 3 1 \n",
{"B", "D"}, 3);
}

28
source/lib/json/tests/thirdparty/Fuzzer/test/InitializeTest.cpp vendored Normal file
View File

@ -0,0 +1,28 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Make sure LLVMFuzzerInitialize is called.
#include <assert.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
static char *argv0;
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
assert(*argc > 0);
argv0 = **argv;
fprintf(stderr, "LLVMFuzzerInitialize: %s\n", argv0);
return 0;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size == strlen(argv0) &&
!strncmp(reinterpret_cast<const char *>(Data), argv0, Size)) {
fprintf(stderr, "BINGO %s\n", argv0);
exit(1);
}
return 0;
}

17
source/lib/json/tests/thirdparty/Fuzzer/test/LeakTest.cpp vendored Normal file
View File

@ -0,0 +1,17 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Test with a leak.
#include <cstdint>
#include <cstddef>
static volatile void *Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size > 0 && *Data == 'H') {
Sink = new int;
Sink = nullptr;
}
return 0;
}

17
source/lib/json/tests/thirdparty/Fuzzer/test/LeakTimeoutTest.cpp vendored Normal file
View File

@ -0,0 +1,17 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Test with a leak.
#include <cstdint>
#include <cstddef>
static volatile int *Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (!Size) return 0;
Sink = new int;
Sink = new int;
while (Sink) *Sink = 0; // Infinite loop.
return 0;
}

22
source/lib/json/tests/thirdparty/Fuzzer/test/LoadTest.cpp vendored Normal file
View File

@ -0,0 +1,22 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer: find interesting value of array index.
#include <assert.h>
#include <cstdint>
#include <cstring>
#include <cstddef>
#include <iostream>
static volatile int Sink;
const int kArraySize = 1234567;
int array[kArraySize];
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 8) return 0;
size_t a = 0;
memcpy(&a, Data, 8);
Sink = array[a % (kArraySize + 1)];
return 0;
}

31
source/lib/json/tests/thirdparty/Fuzzer/test/MemcmpTest.cpp vendored Normal file
View File

@ -0,0 +1,31 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find a particular string.
#include <cstring>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
// TODO: check other sizes.
if (Size >= 8 && memcmp(Data, "01234567", 8) == 0) {
if (Size >= 12 && memcmp(Data + 8, "ABCD", 4) == 0) {
if (Size >= 14 && memcmp(Data + 12, "XY", 2) == 0) {
if (Size >= 17 && memcmp(Data + 14, "KLM", 3) == 0) {
if (Size >= 27 && memcmp(Data + 17, "ABCDE-GHIJ", 10) == 0){
fprintf(stderr, "BINGO %zd\n", Size);
for (size_t i = 0; i < Size; i++) {
uint8_t C = Data[i];
if (C >= 32 && C < 127)
fprintf(stderr, "%c", C);
}
fprintf(stderr, "\n");
exit(1);
}
}
}
}
}
return 0;
}

18
source/lib/json/tests/thirdparty/Fuzzer/test/NthRunCrashTest.cpp vendored Normal file
View File

@ -0,0 +1,18 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Crash on the N-th execution.
#include <cstdint>
#include <cstddef>
#include <iostream>
static int Counter;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Counter++ == 1000) {
std::cout << "BINGO; Found the target, exiting\n";
exit(1);
}
return 0;
}

19
source/lib/json/tests/thirdparty/Fuzzer/test/NullDerefOnEmptyTest.cpp vendored Normal file
View File

@ -0,0 +1,19 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find the empty string.
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <iostream>
static volatile int *Null = 0;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size == 0) {
std::cout << "Found the target, dereferencing NULL\n";
*Null = 1;
}
return 0;
}

26
source/lib/json/tests/thirdparty/Fuzzer/test/NullDerefTest.cpp vendored Normal file
View File

@ -0,0 +1,26 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find the string "Hi!".
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <iostream>
static volatile int Sink;
static volatile int *Null = 0;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size > 0 && Data[0] == 'H') {
Sink = 1;
if (Size > 1 && Data[1] == 'i') {
Sink = 2;
if (Size > 2 && Data[2] == '!') {
std::cout << "Found the target, dereferencing NULL\n";
*Null = 1;
}
}
}
return 0;
}

28
source/lib/json/tests/thirdparty/Fuzzer/test/OneHugeAllocTest.cpp vendored Normal file
View File

@ -0,0 +1,28 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Tests OOM handling when there is a single large allocation.
#include <assert.h>
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <cstring>
#include <iostream>
static volatile char *SinkPtr;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size > 0 && Data[0] == 'H') {
if (Size > 1 && Data[1] == 'i') {
if (Size > 2 && Data[2] == '!') {
size_t kSize = (size_t)1 << 31;
char *p = new char[kSize];
memset(p, 0, kSize);
SinkPtr = p;
delete [] p;
}
}
}
return 0;
}

27
source/lib/json/tests/thirdparty/Fuzzer/test/OutOfMemorySingleLargeMallocTest.cpp vendored Normal file
View File

@ -0,0 +1,27 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Tests OOM handling.
#include <assert.h>
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <cstring>
#include <iostream>
static volatile char *SinkPtr;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size > 0 && Data[0] == 'H') {
if (Size > 1 && Data[1] == 'i') {
if (Size > 2 && Data[2] == '!') {
size_t kSize = 0xff000000U;
char *p = new char[kSize];
SinkPtr = p;
delete [] p;
}
}
}
return 0;
}

31
source/lib/json/tests/thirdparty/Fuzzer/test/OutOfMemoryTest.cpp vendored Normal file
View File

@ -0,0 +1,31 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Tests OOM handling.
#include <assert.h>
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <cstring>
#include <iostream>
#include <thread>
static volatile char *SinkPtr;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size > 0 && Data[0] == 'H') {
if (Size > 1 && Data[1] == 'i') {
if (Size > 2 && Data[2] == '!') {
while (true) {
size_t kSize = 1 << 28;
char *p = new char[kSize];
memset(p, 0, kSize);
SinkPtr = p;
std::this_thread::sleep_for(std::chrono::seconds(1));
}
}
}
}
return 0;
}

29
source/lib/json/tests/thirdparty/Fuzzer/test/RepeatedBytesTest.cpp vendored Normal file
View File

@ -0,0 +1,29 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find repeated bytes.
#include <assert.h>
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <iostream>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
assert(Data);
// Looking for AAAAAAAAAAAAAAAAAAAAAA or some such.
size_t CurA = 0, MaxA = 0;
for (size_t i = 0; i < Size; i++) {
// Make sure there are no conditionals in the loop so that
// coverage can't help the fuzzer.
int EQ = Data[i] == 'A';
CurA = EQ * (CurA + 1);
int GT = CurA > MaxA;
MaxA = GT * CurA + (!GT) * MaxA;
}
if (MaxA >= 20) {
std::cout << "BINGO; Found the target (Max: " << MaxA << "), exiting\n";
exit(0);
}
return 0;
}

22
source/lib/json/tests/thirdparty/Fuzzer/test/RepeatedMemcmp.cpp vendored Normal file
View File

@ -0,0 +1,22 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
#include <cstring>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
int Matches = 0;
for (size_t i = 0; i + 2 < Size; i += 3) {
const char *Pat = i % 2 ? "foo" : "bar";
if (!memcmp(Data + i, Pat, 3))
Matches++;
}
if (Matches > 20) {
fprintf(stderr, "BINGO!\n");
exit(1);
}
return 0;
}

28
source/lib/json/tests/thirdparty/Fuzzer/test/ShrinkControlFlowTest.cpp vendored Normal file
View File

@ -0,0 +1,28 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Test that we can find the minimal item in the corpus (3 bytes: "FUZ").
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <cstring>
#include <cstdio>
static volatile int Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
int8_t Ids[256];
memset(Ids, -1, sizeof(Ids));
for (size_t i = 0; i < Size; i++)
if (Ids[Data[i]] == -1)
Ids[Data[i]] = i;
int F = Ids[(unsigned char)'F'];
int U = Ids[(unsigned char)'U'];
int Z = Ids[(unsigned char)'Z'];
if (F >= 0 && U > F && Z > U) {
Sink++;
//fprintf(stderr, "IDS: %d %d %d\n", F, U, Z);
}
return 0;
}

22
source/lib/json/tests/thirdparty/Fuzzer/test/ShrinkValueProfileTest.cpp vendored Normal file
View File

@ -0,0 +1,22 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Test that we can find the minimal item in the corpus (3 bytes: "FUZ").
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <cstring>
#include <cstdio>
static volatile uint32_t Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < sizeof(uint32_t)) return 0;
uint32_t X, Y;
size_t Offset = Size < 8 ? 0 : Size / 2;
memcpy(&X, Data + Offset, sizeof(uint32_t));
memcpy(&Y, "FUZZ", sizeof(uint32_t));
Sink = X == Y;
return 0;
}

28
source/lib/json/tests/thirdparty/Fuzzer/test/SignedIntOverflowTest.cpp vendored Normal file
View File

@ -0,0 +1,28 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Test for signed-integer-overflow.
#include <assert.h>
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <iostream>
#include <climits>
static volatile int Sink;
static int Large = INT_MAX;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
assert(Data);
if (Size > 0 && Data[0] == 'H') {
Sink = 1;
if (Size > 1 && Data[1] == 'i') {
Sink = 2;
if (Size > 2 && Data[2] == '!') {
Large++; // int overflow.
}
}
}
return 0;
}

46
source/lib/json/tests/thirdparty/Fuzzer/test/SimpleCmpTest.cpp vendored Normal file
View File

@ -0,0 +1,46 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find several narrow ranges.
#include <cstdint>
#include <cstdlib>
#include <cstring>
#include <cstdio>
extern int AllLines[];
bool PrintOnce(int Line) {
if (!AllLines[Line])
fprintf(stderr, "Seen line %d\n", Line);
AllLines[Line] = 1;
return true;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size != 22) return 0;
uint64_t x = 0;
int64_t y = 0;
int32_t z = 0;
uint16_t a = 0;
memcpy(&x, Data, 8); // 8
memcpy(&y, Data + 8, 8); // 16
memcpy(&z, Data + 16, sizeof(z)); // 20
memcpy(&a, Data + 20, sizeof(a)); // 22
if (x > 1234567890 && PrintOnce(__LINE__) &&
x < 1234567895 && PrintOnce(__LINE__) &&
a == 0x4242 && PrintOnce(__LINE__) &&
y >= 987654321 && PrintOnce(__LINE__) &&
y <= 987654325 && PrintOnce(__LINE__) &&
z < -10000 && PrintOnce(__LINE__) &&
z >= -10005 && PrintOnce(__LINE__) &&
z != -10003 && PrintOnce(__LINE__) &&
true) {
fprintf(stderr, "BINGO; Found the target: size %zd (%zd, %zd, %d, %d), exiting.\n",
Size, x, y, z, a);
exit(1);
}
return 0;
}
int AllLines[__LINE__ + 1]; // Must be the last line.

29
source/lib/json/tests/thirdparty/Fuzzer/test/SimpleDictionaryTest.cpp vendored Normal file
View File

@ -0,0 +1,29 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer.
// The fuzzer must find a string based on dictionary words:
// "Elvis"
// "Presley"
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <cstring>
#include <iostream>
static volatile int Zero = 0;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
const char *Expected = "ElvisPresley";
if (Size < strlen(Expected)) return 0;
size_t Match = 0;
for (size_t i = 0; Expected[i]; i++)
if (Expected[i] + Zero == Data[i])
Match++;
if (Match == strlen(Expected)) {
std::cout << "BINGO; Found the target, exiting\n";
exit(1);
}
return 0;
}

40
source/lib/json/tests/thirdparty/Fuzzer/test/SimpleHashTest.cpp vendored Normal file
View File

@ -0,0 +1,40 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// This test computes a checksum of the data (all but the last 4 bytes),
// and then compares the last 4 bytes with the computed value.
// A fuzzer with cmp traces is expected to defeat this check.
#include <cstdint>
#include <cstdlib>
#include <cstring>
#include <cstdio>
// A modified jenkins_one_at_a_time_hash initialized by non-zero,
// so that simple_hash(0) != 0. See also
// https://en.wikipedia.org/wiki/Jenkins_hash_function
static uint32_t simple_hash(const uint8_t *Data, size_t Size) {
uint32_t Hash = 0x12039854;
for (uint32_t i = 0; i < Size; i++) {
Hash += Data[i];
Hash += (Hash << 10);
Hash ^= (Hash >> 6);
}
Hash += (Hash << 3);
Hash ^= (Hash >> 11);
Hash += (Hash << 15);
return Hash;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 14)
return 0;
uint32_t Hash = simple_hash(&Data[0], Size - 4);
uint32_t Want = reinterpret_cast<const uint32_t *>(&Data[Size - 4])[0];
if (Hash != Want)
return 0;
fprintf(stderr, "BINGO; simple_hash defeated: %x == %x\n", (unsigned int)Hash,
(unsigned int)Want);
exit(1);
return 0;
}

27
source/lib/json/tests/thirdparty/Fuzzer/test/SimpleTest.cpp vendored Normal file
View File

@ -0,0 +1,27 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find the string "Hi!".
#include <assert.h>
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <iostream>
static volatile int Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
assert(Data);
if (Size > 0 && Data[0] == 'H') {
Sink = 1;
if (Size > 1 && Data[1] == 'i') {
Sink = 2;
if (Size > 2 && Data[2] == '!') {
std::cout << "BINGO; Found the target, exiting\n";
exit(0);
}
}
}
return 0;
}

25
source/lib/json/tests/thirdparty/Fuzzer/test/SimpleThreadedTest.cpp vendored Normal file
View File

@ -0,0 +1,25 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Threaded test for a fuzzer. The fuzzer should find "H"
#include <assert.h>
#include <cstdint>
#include <cstddef>
#include <cstring>
#include <iostream>
#include <thread>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
auto C = [&] {
if (Size >= 2 && Data[0] == 'H') {
std::cout << "BINGO; Found the target, exiting\n";
abort();
}
};
std::thread T[] = {std::thread(C), std::thread(C), std::thread(C),
std::thread(C), std::thread(C), std::thread(C)};
for (auto &X : T)
X.join();
return 0;
}

17
source/lib/json/tests/thirdparty/Fuzzer/test/SingleMemcmpTest.cpp vendored Normal file
View File

@ -0,0 +1,17 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find a particular string.
#include <cstring>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
char *S = (char*)Data;
if (Size >= 6 && !memcmp(S, "qwerty", 6)) {
fprintf(stderr, "BINGO\n");
exit(1);
}
return 0;
}

17
source/lib/json/tests/thirdparty/Fuzzer/test/SingleStrcmpTest.cpp vendored Normal file
View File

@ -0,0 +1,17 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find a particular string.
#include <cstring>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
char *S = (char*)Data;
if (Size >= 7 && !strcmp(S, "qwerty")) {
fprintf(stderr, "BINGO\n");
exit(1);
}
return 0;
}

17
source/lib/json/tests/thirdparty/Fuzzer/test/SingleStrncmpTest.cpp vendored Normal file
View File

@ -0,0 +1,17 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find a particular string.
#include <cstring>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
char *S = (char*)Data;
if (Size >= 6 && !strncmp(S, "qwerty", 6)) {
fprintf(stderr, "BINGO\n");
exit(1);
}
return 0;
}

21
source/lib/json/tests/thirdparty/Fuzzer/test/SpamyTest.cpp vendored Normal file
View File

@ -0,0 +1,21 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// The test spams to stderr and stdout.
#include <assert.h>
#include <cstdint>
#include <cstdio>
#include <cstddef>
#include <iostream>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
assert(Data);
printf("PRINTF_STDOUT\n");
fflush(stdout);
fprintf(stderr, "PRINTF_STDERR\n");
std::cout << "STREAM_COUT\n";
std::cout.flush();
std::cerr << "STREAM_CERR\n";
return 0;
}

32
source/lib/json/tests/thirdparty/Fuzzer/test/StrcmpTest.cpp vendored Normal file
View File

@ -0,0 +1,32 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Break through a series of strcmp.
#include <cstring>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
#include <cassert>
bool Eq(const uint8_t *Data, size_t Size, const char *Str) {
char Buff[1024];
size_t Len = strlen(Str);
if (Size < Len) return false;
if (Len >= sizeof(Buff)) return false;
memcpy(Buff, (char*)Data, Len);
Buff[Len] = 0;
int res = strcmp(Buff, Str);
return res == 0;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Eq(Data, Size, "ABC") &&
Size >= 3 && Eq(Data + 3, Size - 3, "QWER") &&
Size >= 7 && Eq(Data + 7, Size - 7, "ZXCVN") &&
Size >= 14 && Data[13] == 42
) {
fprintf(stderr, "BINGO\n");
exit(1);
}
return 0;
}

21
source/lib/json/tests/thirdparty/Fuzzer/test/StrncmpOOBTest.cpp vendored Normal file
View File

@ -0,0 +1,21 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Test that libFuzzer itself does not read out of bounds.
#include <assert.h>
#include <cstdint>
#include <cstring>
#include <cstdlib>
#include <cstddef>
#include <iostream>
static volatile int Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 5) return 0;
const char *Ch = reinterpret_cast<const char *>(Data);
if (Ch[Size - 3] == 'a')
Sink = strncmp(Ch + Size - 3, "abcdefg", 6);
return 0;
}

28
source/lib/json/tests/thirdparty/Fuzzer/test/StrncmpTest.cpp vendored Normal file
View File

@ -0,0 +1,28 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find a particular string.
#include <cstring>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
static volatile int sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
// TODO: check other sizes.
char *S = (char*)Data;
if (Size >= 8 && strncmp(S, "123", 8))
sink = 1;
if (Size >= 8 && strncmp(S, "01234567", 8) == 0) {
if (Size >= 12 && strncmp(S + 8, "ABCD", 4) == 0) {
if (Size >= 14 && strncmp(S + 12, "XY", 2) == 0) {
if (Size >= 17 && strncmp(S + 14, "KLM", 3) == 0) {
fprintf(stderr, "BINGO\n");
exit(1);
}
}
}
}
return 0;
}

28
source/lib/json/tests/thirdparty/Fuzzer/test/StrstrTest.cpp vendored Normal file
View File

@ -0,0 +1,28 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Test strstr and strcasestr hooks.
#include <string>
#include <string.h>
#include <cstdint>
#include <cstdio>
#include <cstdlib>
// Windows does not have strcasestr and memmem, so we are not testing them.
#ifdef _WIN32
#define strcasestr strstr
#define memmem(a, b, c, d) true
#endif
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 4) return 0;
std::string s(reinterpret_cast<const char*>(Data), Size);
if (strstr(s.c_str(), "FUZZ") &&
strcasestr(s.c_str(), "aBcD") &&
memmem(s.data(), s.size(), "kuku", 4)
) {
fprintf(stderr, "BINGO\n");
exit(1);
}
return 0;
}

34
source/lib/json/tests/thirdparty/Fuzzer/test/SwapCmpTest.cpp vendored Normal file
View File

@ -0,0 +1,34 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// The fuzzer must find several constants with swapped bytes.
#include <cstdint>
#include <cstdlib>
#include <cstring>
#include <cstdio>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 14) return 0;
uint64_t x = 0;
uint32_t y = 0;
uint16_t z = 0;
memcpy(&x, Data, sizeof(x));
memcpy(&y, Data + Size / 2, sizeof(y));
memcpy(&z, Data + Size - sizeof(z), sizeof(z));
x = __builtin_bswap64(x);
y = __builtin_bswap32(y);
z = __builtin_bswap16(z);
if (x == 0x46555A5A5A5A5546ULL &&
z == 0x4F4B &&
y == 0x66757A7A &&
true
) {
if (Data[Size - 3] == 'z') {
fprintf(stderr, "BINGO; Found the target\n");
exit(1);
}
}
return 0;
}

35
source/lib/json/tests/thirdparty/Fuzzer/test/Switch2Test.cpp vendored Normal file
View File

@ -0,0 +1,35 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find the interesting switch value.
#include <cstdint>
#include <cstdlib>
#include <cstdio>
#include <cstring>
#include <cstddef>
int Switch(int a) {
switch(a) {
case 100001: return 1;
case 100002: return 2;
case 100003: return 4;
}
return 0;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
const int N = 3;
if (Size < N * sizeof(int)) return 0;
int Res = 0;
for (int i = 0; i < N; i++) {
int X;
memcpy(&X, Data + i * sizeof(int), sizeof(int));
Res += Switch(X);
}
if (Res == 5 || Res == 3 || Res == 6 || Res == 7) {
fprintf(stderr, "BINGO; Found the target, exiting; Res=%d\n", Res);
exit(1);
}
return 0;
}

58
source/lib/json/tests/thirdparty/Fuzzer/test/SwitchTest.cpp vendored Normal file
View File

@ -0,0 +1,58 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find the interesting switch value.
#include <cstdint>
#include <cstdlib>
#include <cstdio>
#include <cstring>
#include <cstddef>
static volatile int Sink;
template<class T>
bool Switch(const uint8_t *Data, size_t Size) {
T X;
if (Size < sizeof(X)) return false;
memcpy(&X, Data, sizeof(X));
switch (X) {
case 1: Sink = __LINE__; break;
case 101: Sink = __LINE__; break;
case 1001: Sink = __LINE__; break;
case 10001: Sink = __LINE__; break;
// case 100001: Sink = __LINE__; break;
// case 1000001: Sink = __LINE__; break;
case 10000001: Sink = __LINE__; break;
case 100000001: return true;
}
return false;
}
bool ShortSwitch(const uint8_t *Data, size_t Size) {
short X;
if (Size < sizeof(short)) return false;
memcpy(&X, Data, sizeof(short));
switch(X) {
case 42: Sink = __LINE__; break;
case 402: Sink = __LINE__; break;
case 4002: Sink = __LINE__; break;
case 5002: Sink = __LINE__; break;
case 7002: Sink = __LINE__; break;
case 9002: Sink = __LINE__; break;
case 14002: Sink = __LINE__; break;
case 21402: return true;
}
return false;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size >= 4 && Switch<int>(Data, Size) &&
Size >= 12 && Switch<uint64_t>(Data + 4, Size - 4) &&
Size >= 14 && ShortSwitch(Data + 12, 2)
) {
fprintf(stderr, "BINGO; Found the target, exiting\n");
exit(1);
}
return 0;
}

18
source/lib/json/tests/thirdparty/Fuzzer/test/ThreadedLeakTest.cpp vendored Normal file
View File

@ -0,0 +1,18 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// The fuzzer should find a leak in a non-main thread.
#include <cstdint>
#include <cstddef>
#include <thread>
static volatile int *Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size == 0) return 0;
if (Data[0] != 'F') return 0;
std::thread T([&] { Sink = new int; });
T.join();
return 0;
}

26
source/lib/json/tests/thirdparty/Fuzzer/test/ThreadedTest.cpp vendored Normal file
View File

@ -0,0 +1,26 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Threaded test for a fuzzer. The fuzzer should not crash.
#include <assert.h>
#include <cstdint>
#include <cstddef>
#include <cstring>
#include <thread>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 8) return 0;
assert(Data);
auto C = [&] {
size_t Res = 0;
for (size_t i = 0; i < Size / 2; i++)
Res += memcmp(Data, Data + Size / 2, 4);
return Res;
};
std::thread T[] = {std::thread(C), std::thread(C), std::thread(C),
std::thread(C), std::thread(C), std::thread(C)};
for (auto &X : T)
X.join();
return 0;
}

14
source/lib/json/tests/thirdparty/Fuzzer/test/TimeoutEmptyTest.cpp vendored Normal file
View File

@ -0,0 +1,14 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find the empty string.
#include <cstdint>
#include <cstddef>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
static volatile int Zero = 0;
if (!Size)
while(!Zero)
;
return 0;
}

26
source/lib/json/tests/thirdparty/Fuzzer/test/TimeoutTest.cpp vendored Normal file
View File

@ -0,0 +1,26 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Simple test for a fuzzer. The fuzzer must find the string "Hi!".
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <iostream>
static volatile int Sink;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size > 0 && Data[0] == 'H') {
Sink = 1;
if (Size > 1 && Data[1] == 'i') {
Sink = 2;
if (Size > 2 && Data[2] == '!') {
Sink = 2;
while (Sink)
;
}
}
}
return 0;
}

27
source/lib/json/tests/thirdparty/Fuzzer/test/TraceMallocTest.cpp vendored Normal file
View File

@ -0,0 +1,27 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// Tests -trace_malloc
#include <assert.h>
#include <cstdint>
#include <cstdlib>
#include <cstddef>
#include <iostream>
int *Ptr;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (!Size) return 0;
if (*Data == 1) {
delete Ptr;
Ptr = nullptr;
} else if (*Data == 2) {
delete Ptr;
Ptr = new int;
} else if (*Data == 3) {
if (!Ptr)
Ptr = new int;
}
return 0;
}

11
source/lib/json/tests/thirdparty/Fuzzer/test/UninstrumentedTest.cpp vendored Normal file
View File

@ -0,0 +1,11 @@
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
// This test should not be instrumented.
#include <cstdint>
#include <cstddef>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
return 0;
}

28
source/lib/json/tests/thirdparty/Fuzzer/test/afl-driver-extra-stats.test vendored Normal file
View File

@ -0,0 +1,28 @@
; Test that not specifying an extra stats file isn't broken.
RUN: unset AFL_DRIVER_EXTRA_STATS_FILENAME
RUN: AFLDriverTest
; Test that specifying an invalid extra stats file causes a crash.
RUN: ASAN_OPTIONS= AFL_DRIVER_EXTRA_STATS_FILENAME=%T not --crash AFLDriverTest
; Test that specifying a corrupted stats file causes a crash.
echo "peak_rss_mb :0" > %t
ASAN_OPTIONS= AFL_DRIVER_EXTRA_STATS_FILENAME=%t not --crash AFLDriverTest
; Test that specifying a valid nonexistent stats file works.
RUN: rm -f %t
RUN: AFL_DRIVER_EXTRA_STATS_FILENAME=%t AFLDriverTest
RUN: [[ $(grep "peak_rss_mb\|slowest_unit_time_sec" %t | wc -l) -eq 2 ]]
; Test that specifying a valid preexisting stats file works.
RUN: printf "peak_rss_mb : 0\nslowest_unit_time_sec: 0\n" > %t
RUN: AFL_DRIVER_EXTRA_STATS_FILENAME=%t AFLDriverTest
; Check that both lines were printed.
RUN: [[ $(grep "peak_rss_mb\|slowest_unit_time_sec" %t | wc -l) -eq 2 ]]
; Test that peak_rss_mb and slowest_unit_time_in_secs are only updated when necessary.
; Check that both lines have 9999 since there's no way we have exceeded that
; amount of time or virtual memory.
RUN: printf "peak_rss_mb : 9999\nslowest_unit_time_sec: 9999\n" > %t
RUN: AFL_DRIVER_EXTRA_STATS_FILENAME=%t AFLDriverTest
RUN: [[ $(grep "9999" %t | wc -l) -eq 2 ]]

10
source/lib/json/tests/thirdparty/Fuzzer/test/afl-driver-stderr.test vendored Normal file
View File

@ -0,0 +1,10 @@
; Test that not specifying a stderr file isn't broken.
RUN: unset AFL_DRIVER_STDERR_DUPLICATE_FILENAME
RUN: AFLDriverTest
; Test that specifying an invalid file causes a crash.
RUN: ASAN_OPTIONS= AFL_DRIVER_STDERR_DUPLICATE_FILENAME="%T" not --crash AFLDriverTest
; Test that a file is created when specified as the duplicate stderr.
RUN: AFL_DRIVER_STDERR_DUPLICATE_FILENAME=%t AFLDriverTest
RUN: stat %t

2
source/lib/json/tests/thirdparty/Fuzzer/test/caller-callee.test vendored Normal file
View File

@ -0,0 +1,2 @@
CHECK: BINGO
RUN: not LLVMFuzzer-CallerCalleeTest -use_value_profile=1 -cross_over=0 -max_len=6 -seed=1 -runs=10000000 2>&1 | FileCheck %s

19
source/lib/json/tests/thirdparty/Fuzzer/test/coverage.test vendored Normal file
View File

@ -0,0 +1,19 @@
CHECK: COVERAGE:
CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:13
CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:14
CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:16
CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:19
CHECK: COVERED_DIRS: {{.*}}lib/Fuzzer/test
RUN: not LLVMFuzzer-NullDerefTest -print_coverage=1 2>&1 | FileCheck %s
RUN: LLVMFuzzer-DSOTest -print_coverage=1 -runs=0 2>&1 | FileCheck %s --check-prefix=DSO
DSO: COVERAGE:
DSO-DAG: COVERED:{{.*}}DSO1{{.*}}DSO1.cpp
DSO-DAG: COVERED:{{.*}}DSO2{{.*}}DSO2.cpp
DSO-DAG: COVERED:{{.*}}LLVMFuzzerTestOneInput{{.*}}DSOTestMain
DSO-DAG: UNCOVERED_LINE:{{.*}}DSO1{{.*}}DSO1.cpp
DSO-DAG: UNCOVERED_LINE:{{.*}}DSO2{{.*}}DSO2.cpp
DSO-DAG: UNCOVERED_FUNC: in Uncovered1
DSO-DAG: UNCOVERED_FUNC: in Uncovered2
DSO-DAG: UNCOVERED_LINE: in LLVMFuzzerTestOneInput
DSO-DAG: UNCOVERED_FILE:{{.*}}DSOTestExtra.cpp

4
source/lib/json/tests/thirdparty/Fuzzer/test/dict1.txt vendored Normal file
View File

@ -0,0 +1,4 @@
# Dictionary for SimpleDictionaryTest
a="Elvis"
b="Presley"

16
source/lib/json/tests/thirdparty/Fuzzer/test/dump_coverage.test vendored Normal file
View File

@ -0,0 +1,16 @@
RUN: DIR=%t_workdir
RUN: BUILD_DIR=$(pwd)
RUN: rm -rf $DIR && mkdir -p $DIR && cd $DIR
RUN: not $BUILD_DIR/LLVMFuzzer-NullDerefTest -dump_coverage=1 2>&1 | FileCheck %s
RUN: $BUILD_DIR/LLVMFuzzer-DSOTest -dump_coverage=1 -runs=0 2>&1 | FileCheck %s --check-prefix=DSO
RUN: not $BUILD_DIR/LLVMFuzzer-NullDerefTest -dump_coverage=0 2>&1 | FileCheck %s --check-prefix=NOCOV
RUN: rm -rf $DIR
CHECK: SanitizerCoverage: ./LLVMFuzzer-NullDerefTest.{{.*}}.sancov {{.*}} PCs written
DSO: SanitizerCoverage: ./LLVMFuzzer-DSOTest.{{.*}}.sancov {{.*}} PCs written
DSO-DAG: SanitizerCoverage: ./libLLVMFuzzer-DSO1.{{.*}}.sancov {{.*}} PCs written
DSO-DAG: SanitizerCoverage: ./libLLVMFuzzer-DSO2.{{.*}}.sancov {{.*}} PCs written
NOCOV-NOT: SanitizerCoverage: {{.*}} PCs written

10
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-customcrossover.test vendored Normal file
View File

@ -0,0 +1,10 @@
RUN: rm -rf %t/CustomCrossover
RUN: mkdir -p %t/CustomCrossover
RUN: echo "0123456789" > %t/CustomCrossover/digits
RUN: echo "abcdefghij" > %t/CustomCrossover/chars
RUN: not LLVMFuzzer-CustomCrossOverTest -seed=1 -use_memcmp=0 -runs=100000 %t/CustomCrossover 2>&1 | FileCheck %s --check-prefix=LLVMFuzzerCustomCrossover
RUN: rm -rf %t/CustomCrossover
LLVMFuzzerCustomCrossover: In LLVMFuzzerCustomCrossover
LLVMFuzzerCustomCrossover: BINGO

4
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-custommutator.test vendored Normal file
View File

@ -0,0 +1,4 @@
RUN: not LLVMFuzzer-CustomMutatorTest 2>&1 | FileCheck %s --check-prefix=LLVMFuzzerCustomMutator
LLVMFuzzerCustomMutator: In LLVMFuzzerCustomMutator
LLVMFuzzerCustomMutator: BINGO

6
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-dict.test vendored Normal file
View File

@ -0,0 +1,6 @@
CHECK: BINGO
Done1000000: Done 1000000 runs in
RUN: not LLVMFuzzer-SimpleDictionaryTest -dict=%S/dict1.txt -seed=1 -runs=1000003 2>&1 | FileCheck %s
RUN: LLVMFuzzer-SimpleDictionaryTest -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000

15
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-dirs.test vendored Normal file
View File

@ -0,0 +1,15 @@
RUN: rm -rf %t/SUB1
RUN: mkdir -p %t/SUB1/SUB2/SUB3
RUN: echo a > %t/SUB1/a
RUN: echo b > %t/SUB1/SUB2/b
RUN: echo c > %t/SUB1/SUB2/SUB3/c
RUN: LLVMFuzzer-SimpleTest %t/SUB1 -runs=0 2>&1 | FileCheck %s --check-prefix=SUBDIRS
SUBDIRS: READ units: 3
RUN: echo zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz > %t/SUB1/long
RUN: LLVMFuzzer-SimpleTest %t/SUB1 -runs=0 2>&1 | FileCheck %s --check-prefix=LONG
LONG: INFO: -max_len is not provided, using 94
RUN: rm -rf %t/SUB1
RUN: not LLVMFuzzer-SimpleTest NONEXISTENT_DIR 2>&1 | FileCheck %s --check-prefix=NONEXISTENT_DIR
NONEXISTENT_DIR: No such directory: NONEXISTENT_DIR; exiting

30
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-fdmask.test vendored Normal file
View File

@ -0,0 +1,30 @@
RUN: LLVMFuzzer-SpamyTest -runs=1 2>&1 | FileCheck %s --check-prefix=FD_MASK_0
RUN: LLVMFuzzer-SpamyTest -runs=1 -close_fd_mask=0 2>&1 | FileCheck %s --check-prefix=FD_MASK_0
RUN: LLVMFuzzer-SpamyTest -runs=1 -close_fd_mask=1 2>&1 | FileCheck %s --check-prefix=FD_MASK_1
RUN: LLVMFuzzer-SpamyTest -runs=1 -close_fd_mask=2 2>&1 | FileCheck %s --check-prefix=FD_MASK_2
RUN: LLVMFuzzer-SpamyTest -runs=1 -close_fd_mask=3 2>&1 | FileCheck %s --check-prefix=FD_MASK_3
FD_MASK_0: PRINTF_STDOUT
FD_MASK_0: PRINTF_STDERR
FD_MASK_0: STREAM_COUT
FD_MASK_0: STREAM_CERR
FD_MASK_0: INITED
FD_MASK_1-NOT: PRINTF_STDOUT
FD_MASK_1: PRINTF_STDERR
FD_MASK_1-NOT: STREAM_COUT
FD_MASK_1: STREAM_CERR
FD_MASK_1: INITED
FD_MASK_2: PRINTF_STDOUT
FD_MASK_2-NOT: PRINTF_STDERR
FD_MASK_2: STREAM_COUT
FD_MASK_2-NOTE: STREAM_CERR
FD_MASK_2: INITED
FD_MASK_3-NOT: PRINTF_STDOUT
FD_MASK_3-NOT: PRINTF_STDERR
FD_MASK_3-NOT: STREAM_COUT
FD_MASK_3-NOT: STREAM_CERR
FD_MASK_3: INITED

11
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-finalstats.test vendored Normal file
View File

@ -0,0 +1,11 @@
RUN: LLVMFuzzer-SimpleTest -seed=1 -runs=77 -print_final_stats=1 2>&1 | FileCheck %s --check-prefix=FINAL_STATS
FINAL_STATS: stat::number_of_executed_units: 77
FINAL_STATS: stat::average_exec_per_sec: 0
FINAL_STATS: stat::new_units_added:
FINAL_STATS: stat::slowest_unit_time_sec: 0
FINAL_STATS: stat::peak_rss_mb:
RUN: LLVMFuzzer-SimpleTest %S/dict1.txt -runs=33 -print_final_stats=1 2>&1 | FileCheck %s --check-prefix=FINAL_STATS1
FINAL_STATS1: stat::number_of_executed_units: 33
FINAL_STATS1: stat::peak_rss_mb:

10
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-flags.test vendored Normal file
View File

@ -0,0 +1,10 @@
RUN: LLVMFuzzer-SimpleTest -foo_bar=1 2>&1 | FileCheck %s --check-prefix=FOO_BAR
FOO_BAR: WARNING: unrecognized flag '-foo_bar=1'; use -help=1 to list all flags
FOO_BAR: BINGO
RUN: LLVMFuzzer-SimpleTest -runs=10 --max_len=100 2>&1 | FileCheck %s --check-prefix=DASH_DASH
DASH_DASH: WARNING: did you mean '-max_len=100' (single dash)?
DASH_DASH: INFO: A corpus is not provided, starting from an empty corpus
RUN: LLVMFuzzer-SimpleTest -help=1 2>&1 | FileCheck %s --check-prefix=NO_INTERNAL
NO_INTERNAL-NOT: internal flag

29
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-jobs.test vendored Normal file
View File

@ -0,0 +1,29 @@
RUN: rm -rf %tmp
RUN: mkdir %tmp && cd %tmp
# Create a shared corpus directory
RUN: rm -rf FuzzerJobsTestCORPUS
RUN: mkdir FuzzerJobsTestCORPUS
RUN: rm -f fuzz-{0,1}.log
# Start fuzzer and in parallel check that the output files
# that should be created exist.
RUN: LLVMFuzzer-EmptyTest -max_total_time=4 -jobs=2 -workers=2 FuzzerJobsTestCORPUS > %t-fuzzer-jobs-test.log 2>&1 & export FUZZER_PID=$!
# Wait a short while to give time for the child processes
# to start fuzzing
RUN: sleep 2
# If the instances are running in parallel they should have created their log
# files by now.
RUN: ls fuzz-0.log
RUN: ls fuzz-1.log
# Wait for libfuzzer to finish.
# This probably isn't portable but we need a way to block until
# the fuzzer is done otherwise we might remove the files while
# they are being used.
RUN: while kill -0 ${FUZZER_PID}; do : ; done
RUN: rm -f fuzz-{0,1}.log
RUN: rm -rf FuzzerJobsTestCORPUS
RUN: FileCheck -input-file=%t-fuzzer-jobs-test.log %s
RUN: rm %t-fuzzer-jobs-test.log
RUN: cd ../
CHECK-DAG: Job 0 exited with exit code 0
CHECK-DAG: Job 1 exited with exit code 0

35
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-leak.test vendored Normal file
View File

@ -0,0 +1,35 @@
REQUIRES: lsan
RUN: not LLVMFuzzer-LeakTest -runs=100000 -detect_leaks=1 2>&1 | FileCheck %s --check-prefix=LEAK_DURING
LEAK_DURING: ERROR: LeakSanitizer: detected memory leaks
LEAK_DURING: Direct leak of 4 byte(s) in 1 object(s) allocated from:
LEAK_DURING: INFO: to ignore leaks on libFuzzer side use -detect_leaks=0
LEAK_DURING: Test unit written to ./leak-
LEAK_DURING-NOT: DONE
LEAK_DURING-NOT: Done
RUN: not LLVMFuzzer-LeakTest -runs=0 -detect_leaks=1 %S 2>&1 | FileCheck %s --check-prefix=LEAK_IN_CORPUS
LEAK_IN_CORPUS: ERROR: LeakSanitizer: detected memory leaks
LEAK_IN_CORPUS: INFO: a leak has been found in the initial corpus.
RUN: not LLVMFuzzer-LeakTest -runs=100000000 %S/hi.txt 2>&1 | FileCheck %s --check-prefix=MULTI_RUN_LEAK
MULTI_RUN_LEAK-NOT: pulse
MULTI_RUN_LEAK: LeakSanitizer: detected memory leaks
RUN: not LLVMFuzzer-LeakTest -runs=100000 -detect_leaks=0 2>&1 | FileCheck %s --check-prefix=LEAK_AFTER
RUN: not LLVMFuzzer-LeakTest -runs=100000 2>&1 | FileCheck %s --check-prefix=LEAK_DURING
RUN: not LLVMFuzzer-ThreadedLeakTest -runs=100000 -detect_leaks=0 2>&1 | FileCheck %s --check-prefix=LEAK_AFTER
RUN: not LLVMFuzzer-ThreadedLeakTest -runs=100000 2>&1 | FileCheck %s --check-prefix=LEAK_DURING
LEAK_AFTER: Done 100000 runs in
LEAK_AFTER: ERROR: LeakSanitizer: detected memory leaks
RUN: not LLVMFuzzer-LeakTest -runs=100000 -max_len=1 2>&1 | FileCheck %s --check-prefix=MAX_LEN_1
MAX_LEN_1: Test unit written to ./leak-7cf184f4c67ad58283ecb19349720b0cae756829
RUN: not LLVMFuzzer-LeakTimeoutTest -timeout=1 2>&1 | FileCheck %s --check-prefix=LEAK_TIMEOUT
LEAK_TIMEOUT: ERROR: libFuzzer: timeout after
LEAK_TIMEOUT-NOT: LeakSanitizer
RUN: LLVMFuzzer-AccumulateAllocationsTest -detect_leaks=1 -runs=100000 2>&1 | FileCheck %s --check-prefix=ACCUMULATE_ALLOCS
ACCUMULATE_ALLOCS: INFO: libFuzzer disabled leak detection after every mutation
RUN: LLVMFuzzer-LeakTest -error_exitcode=0

6
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-oom-with-profile.test vendored Normal file
View File

@ -0,0 +1,6 @@
REQUIRES: linux
RUN: not LLVMFuzzer-OutOfMemoryTest -rss_limit_mb=300 2>&1 | FileCheck %s
CHECK: ERROR: libFuzzer: out-of-memory (used: {{.*}}; limit: 300Mb)
CHECK: Live Heap Allocations
CHECK: Test unit written to ./oom-
SUMMARY: libFuzzer: out-of-memory

11
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-oom.test vendored Normal file
View File

@ -0,0 +1,11 @@
RUN: not LLVMFuzzer-OutOfMemoryTest -rss_limit_mb=300 2>&1 | FileCheck %s
CHECK: ERROR: libFuzzer: out-of-memory (used: {{.*}}; limit: 300Mb)
CHECK: Test unit written to ./oom-
SUMMARY: libFuzzer: out-of-memory
RUN: not LLVMFuzzer-OutOfMemorySingleLargeMallocTest 2>&1 | FileCheck %s --check-prefix=SINGLE_LARGE_MALLOC
SINGLE_LARGE_MALLOC: libFuzzer: out-of-memory (malloc(42{{.*}}))
SINGLE_LARGE_MALLOC: in LLVMFuzzerTestOneInput
# Check that -rss_limit_mb=0 means no limit.
RUN: LLVMFuzzer-AccumulateAllocationsTest -runs=1000 -rss_limit_mb=0

8
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-printcovpcs.test vendored Normal file
View File

@ -0,0 +1,8 @@
RUN: LLVMFuzzer-SimpleTest -print_pcs=1 -seed=1 2>&1 | FileCheck %s --check-prefix=PCS
PCS-NOT: NEW_PC
PCS:INITED
PCS:NEW_PC: {{0x[a-f0-9]+}}
PCS:NEW_PC: {{0x[a-f0-9]+}}
PCS:NEW
PCS:BINGO

8
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-runs.test vendored Normal file
View File

@ -0,0 +1,8 @@
RUN: mkdir -p %t
RUN: echo abcd > %t/NthRunCrashTest.in
RUN: LLVMFuzzer-NthRunCrashTest %t/NthRunCrashTest.in
RUN: LLVMFuzzer-NthRunCrashTest %t/NthRunCrashTest.in -runs=10
RUN: not LLVMFuzzer-NthRunCrashTest %t/NthRunCrashTest.in -runs=10000 2>&1 | FileCheck %s
RUN: rm %t/NthRunCrashTest.in
CHECK: BINGO

3
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-seed.test vendored Normal file
View File

@ -0,0 +1,3 @@
RUN: LLVMFuzzer-SimpleCmpTest -seed=-1 -runs=0 2>&1 | FileCheck %s --check-prefix=CHECK_SEED_MINUS_ONE
CHECK_SEED_MINUS_ONE: Seed: 4294967295

5
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-segv.test vendored Normal file
View File

@ -0,0 +1,5 @@
RUN: ASAN_OPTIONS=handle_segv=0 not LLVMFuzzer-NullDerefTest 2>&1 | FileCheck %s --check-prefix=LIBFUZZER_OWN_SEGV_HANDLER
LIBFUZZER_OWN_SEGV_HANDLER: == ERROR: libFuzzer: deadly signal
LIBFUZZER_OWN_SEGV_HANDLER: SUMMARY: libFuzzer: deadly signal
LIBFUZZER_OWN_SEGV_HANDLER: Test unit written to ./crash-

16
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-singleinputs.test vendored Normal file
View File

@ -0,0 +1,16 @@
RUN: not LLVMFuzzer-NullDerefTest %S/hi.txt 2>&1 | FileCheck %s --check-prefix=SingleInput
SingleInput-NOT: Test unit written to ./crash-
RUN: rm -rf %tmp/SINGLE_INPUTS
RUN: mkdir -p %tmp/SINGLE_INPUTS
RUN: echo aaa > %tmp/SINGLE_INPUTS/aaa
RUN: echo bbb > %tmp/SINGLE_INPUTS/bbb
RUN: LLVMFuzzer-SimpleTest %tmp/SINGLE_INPUTS/aaa %tmp/SINGLE_INPUTS/bbb 2>&1 | FileCheck %s --check-prefix=SINGLE_INPUTS
RUN: LLVMFuzzer-SimpleTest -max_len=2 %tmp/SINGLE_INPUTS/aaa %tmp/SINGLE_INPUTS/bbb 2>&1 | FileCheck %s --check-prefix=SINGLE_INPUTS
RUN: rm -rf %tmp/SINGLE_INPUTS
SINGLE_INPUTS: LLVMFuzzer-SimpleTest: Running 2 inputs 1 time(s) each.
SINGLE_INPUTS: aaa in
SINGLE_INPUTS: bbb in
SINGLE_INPUTS: NOTE: fuzzing was not performed, you have only
SINGLE_INPUTS: executed the target code on a fixed set of inputs.

7
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-threaded.test vendored Normal file
View File

@ -0,0 +1,7 @@
CHECK: Done 1000 runs in
RUN: LLVMFuzzer-ThreadedTest -use_traces=1 -runs=1000 2>&1 | FileCheck %s
RUN: LLVMFuzzer-ThreadedTest -use_traces=1 -runs=1000 2>&1 | FileCheck %s
RUN: LLVMFuzzer-ThreadedTest -use_traces=1 -runs=1000 2>&1 | FileCheck %s
RUN: LLVMFuzzer-ThreadedTest -use_traces=1 -runs=1000 2>&1 | FileCheck %s

19
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-timeout.test vendored Normal file
View File

@ -0,0 +1,19 @@
RUN: not LLVMFuzzer-TimeoutTest -timeout=1 2>&1 | FileCheck %s --check-prefix=TimeoutTest
TimeoutTest: ALARM: working on the last Unit for
TimeoutTest: Test unit written to ./timeout-
TimeoutTest: == ERROR: libFuzzer: timeout after
TimeoutTest: #0
TimeoutTest: #1
TimeoutTest: #2
TimeoutTest: SUMMARY: libFuzzer: timeout
RUN: not LLVMFuzzer-TimeoutTest -timeout=1 %S/hi.txt 2>&1 | FileCheck %s --check-prefix=SingleInputTimeoutTest
SingleInputTimeoutTest: ALARM: working on the last Unit for {{[1-3]}} seconds
SingleInputTimeoutTest-NOT: Test unit written to ./timeout-
RUN: LLVMFuzzer-TimeoutTest -timeout=1 -timeout_exitcode=0
RUN: not LLVMFuzzer-TimeoutEmptyTest -timeout=1 2>&1 | FileCheck %s --check-prefix=TimeoutEmptyTest
TimeoutEmptyTest: ALARM: working on the last Unit for
TimeoutEmptyTest: == ERROR: libFuzzer: timeout after
TimeoutEmptyTest: SUMMARY: libFuzzer: timeout

25
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-traces-hooks.test vendored Normal file
View File

@ -0,0 +1,25 @@
// FIXME: Support sanitizer hooks for memcmp and strcmp need
// to be implemented in the sanitizer runtime for platforms other
// than linux
REQUIRES: linux
CHECK: BINGO
Done1000000: Done 1000000 runs in
RUN: not LLVMFuzzer-MemcmpTest -seed=4294967295 -runs=100000 2>&1 | FileCheck %s
RUN: LLVMFuzzer-MemcmpTest -use_memcmp=0 -seed=4294967295 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000
RUN: not LLVMFuzzer-StrncmpTest -seed=2 -runs=100000 2>&1 | FileCheck %s
RUN: LLVMFuzzer-StrncmpTest -use_memcmp=0 -seed=3 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000
RUN: not LLVMFuzzer-StrcmpTest -seed=4 -runs=200000 2>&1 | FileCheck %s
RUN: LLVMFuzzer-StrcmpTest -use_memcmp=0 -seed=5 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000
RUN: not LLVMFuzzer-StrstrTest -seed=6 -runs=200000 2>&1 | FileCheck %s
RUN: LLVMFuzzer-StrstrTest -use_memmem=0 -seed=7 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000
RUN: LLVMFuzzer-RepeatedMemcmp -seed=10 -runs=100000 2>&1 | FileCheck %s --check-prefix=RECOMMENDED_DICT
RECOMMENDED_DICT:###### Recommended dictionary. ######
RECOMMENDED_DICT-DAG: "foo"
RECOMMENDED_DICT-DAG: "bar"
RECOMMENDED_DICT:###### End of recommended dictionary. ######

4
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer-ubsan.test vendored Normal file
View File

@ -0,0 +1,4 @@
RUN: not LLVMFuzzer-SignedIntOverflowTest-Ubsan 2>&1 | FileCheck %s
CHECK: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
CHECK: Test unit written to ./crash-

57
source/lib/json/tests/thirdparty/Fuzzer/test/fuzzer.test vendored Normal file
View File

@ -0,0 +1,57 @@
CHECK: BINGO
Done1000000: Done 1000000 runs in
RUN: LLVMFuzzer-SimpleTest 2>&1 | FileCheck %s
# only_ascii mode. Will perform some minimal self-validation.
RUN: LLVMFuzzer-SimpleTest -only_ascii=1 2>&1
RUN: LLVMFuzzer-SimpleCmpTest -max_total_time=1 -use_cmp=0 2>&1 | FileCheck %s --check-prefix=MaxTotalTime
MaxTotalTime: Done {{.*}} runs in {{.}} second(s)
RUN: not LLVMFuzzer-NullDerefTest 2>&1 | FileCheck %s --check-prefix=NullDerefTest
RUN: not LLVMFuzzer-NullDerefTest -close_fd_mask=3 2>&1 | FileCheck %s --check-prefix=NullDerefTest
NullDerefTest: ERROR: AddressSanitizer: SEGV on unknown address
NullDerefTest: Test unit written to ./crash-
RUN: not LLVMFuzzer-NullDerefTest -artifact_prefix=ZZZ 2>&1 | FileCheck %s --check-prefix=NullDerefTestPrefix
NullDerefTestPrefix: Test unit written to ZZZcrash-
RUN: not LLVMFuzzer-NullDerefTest -artifact_prefix=ZZZ -exact_artifact_path=FOOBAR 2>&1 | FileCheck %s --check-prefix=NullDerefTestExactPath
NullDerefTestExactPath: Test unit written to FOOBAR
RUN: not LLVMFuzzer-NullDerefOnEmptyTest -print_final_stats=1 2>&1 | FileCheck %s --check-prefix=NULL_DEREF_ON_EMPTY
NULL_DEREF_ON_EMPTY: stat::number_of_executed_units:
#not LLVMFuzzer-FullCoverageSetTest -timeout=15 -seed=1 -mutate_depth=2 -use_full_coverage_set=1 2>&1 | FileCheck %s
RUN: not LLVMFuzzer-CounterTest -max_len=6 -seed=1 -timeout=15 2>&1 | FileCheck %s --check-prefix=COUNTERS
COUNTERS: INITED {{.*}} {{bits:|ft:}}
COUNTERS: NEW {{.*}} {{bits:|ft:}} {{[1-9]*}}
COUNTERS: NEW {{.*}} {{bits:|ft:}} {{[1-9]*}}
COUNTERS: BINGO
# Don't run UninstrumentedTest for now since we build libFuzzer itself with asan.
DISABLED: not LLVMFuzzer-UninstrumentedTest-Uninstrumented 2>&1 | FileCheck %s --check-prefix=UNINSTRUMENTED
UNINSTRUMENTED: ERROR: __sanitizer_set_death_callback is not defined. Exiting.
RUN: not LLVMFuzzer-UninstrumentedTest-NoCoverage 2>&1 | FileCheck %s --check-prefix=NO_COVERAGE
NO_COVERAGE: ERROR: no interesting inputs were found. Is the code instrumented for coverage? Exiting
RUN: not LLVMFuzzer-BufferOverflowOnInput 2>&1 | FileCheck %s --check-prefix=OOB
OOB: AddressSanitizer: heap-buffer-overflow
OOB: is located 0 bytes to the right of 3-byte region
RUN: not LLVMFuzzer-InitializeTest -use_value_profile=1 2>&1 | FileCheck %s
RUN: not LLVMFuzzer-DSOTest 2>&1 | FileCheck %s --check-prefix=DSO
DSO: INFO: Loaded 3 modules
DSO: BINGO
RUN: LLVMFuzzer-SimpleTest -exit_on_src_pos=SimpleTest.cpp:17 2>&1 | FileCheck %s --check-prefix=EXIT_ON_SRC_POS
RUN: LLVMFuzzer-ShrinkControlFlowTest -exit_on_src_pos=ShrinkControlFlowTest.cpp:23 2>&1 | FileCheck %s --check-prefix=EXIT_ON_SRC_POS
EXIT_ON_SRC_POS: INFO: found line matching '{{.*}}', exiting.
RUN: ASAN_OPTIONS=strict_string_checks=1 not LLVMFuzzer-StrncmpOOBTest -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=STRNCMP
STRNCMP: AddressSanitizer: heap-buffer-overflow
STRNCMP-NOT: __sanitizer_weak_hook_strncmp
STRNCMP: in LLVMFuzzerTestOneInput

1
source/lib/json/tests/thirdparty/Fuzzer/test/hi.txt vendored Normal file
View File

@ -0,0 +1 @@
Hi!

29
source/lib/json/tests/thirdparty/Fuzzer/test/lit.cfg vendored Normal file
View File

@ -0,0 +1,29 @@
import lit.formats
import sys
config.name = "LLVMFuzzer"
config.test_format = lit.formats.ShTest(True)
config.suffixes = ['.test']
config.test_source_root = os.path.dirname(__file__)
# Tweak PATH to include llvm tools dir and current exec dir.
llvm_tools_dir = getattr(config, 'llvm_tools_dir', None)
if (not llvm_tools_dir) or (not os.path.exists(llvm_tools_dir)):
lit_config.fatal("Invalid llvm_tools_dir config attribute: %r" % llvm_tools_dir)
path = os.path.pathsep.join((llvm_tools_dir, config.test_exec_root,
config.environment['PATH']))
config.environment['PATH'] = path
if config.has_lsan:
lit_config.note('lsan feature available')
config.available_features.add('lsan')
else:
lit_config.note('lsan feature unavailable')
if sys.platform.startswith('linux'):
# Note the value of ``sys.platform`` is not consistent
# between python 2 and 3, hence the use of ``.startswith()``.
lit_config.note('linux feature available')
config.available_features.add('linux')
else:
lit_config.note('linux feature unavailable')

4
source/lib/json/tests/thirdparty/Fuzzer/test/lit.site.cfg.in vendored Normal file
View File

@ -0,0 +1,4 @@
config.test_exec_root = "@CMAKE_CURRENT_BINARY_DIR@"
config.llvm_tools_dir = "@LLVM_TOOLS_DIR@"
config.has_lsan = True if @HAS_LSAN@ == 1 else False
lit_config.load_config(config, "@CMAKE_CURRENT_SOURCE_DIR@/lit.cfg")

46
source/lib/json/tests/thirdparty/Fuzzer/test/merge.test vendored Normal file
View File

@ -0,0 +1,46 @@
CHECK: BINGO
RUN: rm -rf %tmp/T1 %tmp/T2
RUN: mkdir -p %tmp/T1 %tmp/T2
RUN: echo F..... > %tmp/T1/1
RUN: echo .U.... > %tmp/T1/2
RUN: echo ..Z... > %tmp/T1/3
# T1 has 3 elements, T2 is empty.
RUN: LLVMFuzzer-FullCoverageSetTest -merge=1 %tmp/T1 %tmp/T2 2>&1 | FileCheck %s --check-prefix=CHECK1
CHECK1: MERGE-OUTER: 3 files, 3 in the initial corpus
CHECK1: MERGE-OUTER: 0 new files with 0 new features added
RUN: echo ...Z.. > %tmp/T2/1
RUN: echo ....E. > %tmp/T2/2
RUN: echo .....R > %tmp/T2/3
RUN: echo F..... > %tmp/T2/a
RUN: echo .U.... > %tmp/T2/b
RUN: echo ..Z... > %tmp/T2/c
# T1 has 3 elements, T2 has 6 elements, only 3 are new.
RUN: LLVMFuzzer-FullCoverageSetTest -merge=1 %tmp/T1 %tmp/T2 2>&1 | FileCheck %s --check-prefix=CHECK2
CHECK2: MERGE-OUTER: 9 files, 3 in the initial corpus
CHECK2: MERGE-OUTER: 3 new files with 3 new features added
# Now, T1 has 6 units and T2 has no new interesting units.
RUN: LLVMFuzzer-FullCoverageSetTest -merge=1 %tmp/T1 %tmp/T2 2>&1 | FileCheck %s --check-prefix=CHECK3
CHECK3: MERGE-OUTER: 12 files, 6 in the initial corpus
CHECK3: MERGE-OUTER: 0 new files with 0 new features added
# Check that we respect max_len during the merge and don't crash.
RUN: rm %tmp/T1/??*
RUN: echo looooooooong > %tmp/T2/looooooooong
RUN: LLVMFuzzer-FullCoverageSetTest -merge=1 %tmp/T1 %tmp/T2 -max_len=6 2>&1 | FileCheck %s --check-prefix=MAX_LEN
MAX_LEN: MERGE-OUTER: 3 new files
# Check that merge tolerates failures.
RUN: rm %tmp/T1/??*
RUN: echo 'FUZZER' > %tmp/T2/FUZZER
RUN: LLVMFuzzer-FullCoverageSetTest -merge=1 %tmp/T1 %tmp/T2 2>&1 | FileCheck %s --check-prefix=MERGE_WITH_CRASH
MERGE_WITH_CRASH: MERGE-OUTER: succesfull in 2 attempt(s)
MERGE_WITH_CRASH: MERGE-OUTER: 3 new files
# Check that we actually limit the size with max_len
RUN: LLVMFuzzer-FullCoverageSetTest -merge=1 %tmp/T1 %tmp/T2 -max_len=5 2>&1 | FileCheck %s --check-prefix=MERGE_LEN5
MERGE_LEN5: MERGE-OUTER: succesfull in 1 attempt(s)

6
source/lib/json/tests/thirdparty/Fuzzer/test/minimize_crash.test vendored Normal file
View File

@ -0,0 +1,6 @@
RUN: echo 'Hi!rv349f34t3gg' > not_minimal_crash
RUN: LLVMFuzzer-NullDerefTest -minimize_crash=1 not_minimal_crash -max_total_time=2 2>&1 | FileCheck %s
CHECK: CRASH_MIN: failed to minimize beyond minimized-from-{{.*}} (3 bytes), exiting
RUN: LLVMFuzzer-NullDerefTest -minimize_crash=1 not_minimal_crash -max_total_time=2 -exact_artifact_path=exact_minimized_path 2>&1 | FileCheck %s --check-prefix=CHECK_EXACT
CHECK_EXACT: CRASH_MIN: failed to minimize beyond exact_minimized_path (3 bytes), exiting
RUN: rm not_minimal_crash minimized-from-* exact_minimized_path

29
source/lib/json/tests/thirdparty/Fuzzer/test/no-coverage/CMakeLists.txt vendored Normal file
View File

@ -0,0 +1,29 @@
# These tests are not instrumented with coverage,
# but have coverage rt in the binary.
set(CMAKE_CXX_FLAGS
"${LIBFUZZER_FLAGS_BASE} -fno-sanitize-coverage=edge,trace-cmp,indirect-calls,8bit-counters,trace-pc-guard")
set(NoCoverageTests
UninstrumentedTest
)
foreach(Test ${NoCoverageTests})
add_libfuzzer_test(${Test}-NoCoverage SOURCES ../${Test}.cpp)
endforeach()
###############################################################################
# AFL Driver test
###############################################################################
add_executable(AFLDriverTest
../AFLDriverTest.cpp ../../afl/afl_driver.cpp)
set_target_properties(AFLDriverTest
PROPERTIES RUNTIME_OUTPUT_DIRECTORY
"${CMAKE_BINARY_DIR}/lib/Fuzzer/test"
)
# Propagate value into parent directory
set(TestBinaries ${TestBinaries} AFLDriverTest PARENT_SCOPE)

2
source/lib/json/tests/thirdparty/Fuzzer/test/repeated-bytes.test vendored Normal file
View File

@ -0,0 +1,2 @@
CHECK: BINGO
RUN: LLVMFuzzer-RepeatedBytesTest -seed=1 -runs=1000000 2>&1 | FileCheck %s

7
source/lib/json/tests/thirdparty/Fuzzer/test/shrink.test vendored Normal file
View File

@ -0,0 +1,7 @@
RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=1000000 -shrink=1 2>&1 | FileCheck %s --check-prefix=SHRINK1
RUN: LLVMFuzzer-ShrinkControlFlowTest -seed=1 -exit_on_item=0eb8e4ed029b774d80f2b66408203801cb982a60 -runs=1000000 -shrink=0 2>&1 | FileCheck %s --check-prefix=SHRINK0
RUN: LLVMFuzzer-ShrinkValueProfileTest -seed=1 -exit_on_item=aea2e3923af219a8956f626558ef32f30a914ebc -runs=100000 -shrink=1 -use_value_profile=1 2>&1 | FileCheck %s --check-prefix=SHRINK1_VP
SHRINK0: Done 1000000 runs in
SHRINK1: INFO: found item with checksum '0eb8e4ed029b774d80f2b66408203801cb982a60', exiting.
SHRINK1_VP: INFO: found item with checksum 'aea2e3923af219a8956f626558ef32f30a914ebc', exiting

2
source/lib/json/tests/thirdparty/Fuzzer/test/simple-cmp.test vendored Normal file
View File

@ -0,0 +1,2 @@
CHECK: BINGO
RUN: not LLVMFuzzer-SimpleCmpTest -seed=1 -runs=100000000 2>&1 | FileCheck %s

4
source/lib/json/tests/thirdparty/Fuzzer/test/standalone.test vendored Normal file
View File

@ -0,0 +1,4 @@
RUN: LLVMFuzzer-StandaloneInitializeTest %S/hi.txt %S/dict1.txt 2>&1 | FileCheck %s
CHECK: StandaloneFuzzTargetMain: running 2 inputs
CHECK: Done: {{.*}}hi.txt: (3 bytes)
CHECK: Done: {{.*}}dict1.txt: (61 bytes)

2
source/lib/json/tests/thirdparty/Fuzzer/test/swap-cmp.test vendored Normal file
View File

@ -0,0 +1,2 @@
CHECK: BINGO
RUN: not LLVMFuzzer-SwapCmpTest -seed=1 -runs=10000000 2>&1 | FileCheck %s

10
source/lib/json/tests/thirdparty/Fuzzer/test/trace-malloc.test vendored Normal file
View File

@ -0,0 +1,10 @@
RUN: LLVMFuzzer-TraceMallocTest -seed=1 -trace_malloc=1 -runs=10000 2>&1 | FileCheck %s
CHECK-DAG: MallocFreeTracer: STOP 0 0 (same)
CHECK-DAG: MallocFreeTracer: STOP 0 1 (DIFFERENT)
CHECK-DAG: MallocFreeTracer: STOP 1 0 (DIFFERENT)
CHECK-DAG: MallocFreeTracer: STOP 1 1 (same)
RUN: LLVMFuzzer-TraceMallocTest -seed=1 -trace_malloc=2 -runs=1000 2>&1 | FileCheck %s --check-prefix=TRACE2
TRACE2-DAG: FREE[0]
TRACE2-DAG: MALLOC[0]
TRACE2-DAG: in LLVMFuzzerTestOneInput

15
source/lib/json/tests/thirdparty/Fuzzer/test/ubsan/CMakeLists.txt vendored Normal file
View File

@ -0,0 +1,15 @@
# These tests are instrumented with ubsan in non-recovery mode.
set(CMAKE_CXX_FLAGS
"${LIBFUZZER_FLAGS_BASE} -fsanitize=undefined -fno-sanitize-recover=all")
set(UbsanTests
SignedIntOverflowTest
)
foreach(Test ${UbsanTests})
add_libfuzzer_test(${Test}-Ubsan SOURCES ../${Test}.cpp)
endforeach()
# Propagate value into parent directory
set(TestBinaries ${TestBinaries} PARENT_SCOPE)

2
source/lib/json/tests/thirdparty/Fuzzer/test/ulimit.test vendored Normal file
View File

@ -0,0 +1,2 @@
RUN: ulimit -s 1000
RUN: LLVMFuzzer-SimpleTest

16
source/lib/json/tests/thirdparty/Fuzzer/test/uninstrumented/CMakeLists.txt vendored Normal file
View File

@ -0,0 +1,16 @@
# These tests are not instrumented with coverage and don't
# have coverage rt in the binary.
set(CMAKE_CXX_FLAGS
"${LIBFUZZER_FLAGS_BASE} -fno-sanitize=all -fno-sanitize-coverage=edge,trace-cmp,indirect-calls,8bit-counters,trace-pc-guard")
set(UninstrumentedTests
UninstrumentedTest
)
foreach(Test ${UninstrumentedTests})
add_libfuzzer_test(${Test}-Uninstrumented SOURCES ../${Test}.cpp)
endforeach()
# Propagate value into parent directory
set(TestBinaries ${TestBinaries} PARENT_SCOPE)

7
source/lib/json/tests/thirdparty/Fuzzer/test/unit/lit.cfg vendored Normal file
View File

@ -0,0 +1,7 @@
import lit.formats
config.name = "LLVMFuzzer-Unittest"
print config.test_exec_root
config.test_format = lit.formats.GoogleTest(".", "Unittest")
config.suffixes = []
config.test_source_root = config.test_exec_root

Some files were not shown because too many files have changed in this diff Show More