Merge pull request #757 from DLTcollab/fuzzing

Add libFuzzer-based fuzz testing infrastructure

Author: jserv

.github/workflows/main.yml

@@ -508,7 +508,7 @@ jobs:
           Write-Host "OS: $([System.Environment]::OSVersion)"
           Write-Host "Processor: $env:PROCESSOR_ARCHITECTURE"
 
-  # Sanitizers on ARM: UBSan + ASan per IMPROVE.md H5
+  # Sanitizers on ARM: UBSan + ASan
   sanitizers-arm:
     runs-on: ubuntu-24.04-arm
     strategy:
@@ -540,6 +540,30 @@ jobs:
           ASAN_OPTIONS: detect_leaks=1:halt_on_error=1
         run: make SANITIZE=${{ matrix.sanitizer }} check
 
+  # Fuzz testing on ARM: libFuzzer with ASan/UBSan
+  # Only runs on native ARM64 (no QEMU) with clang (libFuzzer requirement)
+  fuzz-arm:
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - name: checkout code
+        uses: actions/checkout@v6
+      - name: install clang
+        run: |
+          # clang-18 is in 'universe' repository on Ubuntu 24.04
+          sudo add-apt-repository -y -n universe
+          sudo apt-get -o Acquire::Retries=5 update -q -y
+          sudo apt-get -o Acquire::Retries=5 install -q -y --no-install-recommends clang-18
+      - name: build and run fuzzer
+        env:
+          CXX: clang++-18
+          UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
+          ASAN_OPTIONS: detect_leaks=0:halt_on_error=1
+        run: |
+          # Build fuzzer with crypto+crc extensions for full coverage
+          make FEATURE=crypto+crc FUZZ_CXX=clang++-18 tests/fuzz
+          # Run for 30 seconds in CI (verbose mode for logs)
+          make FUZZ_TIME=30 fuzz-verbose
+
   static-analysis:
     runs-on: ubuntu-24.04
     env:

Makefile

@@ -291,13 +291,84 @@ endif
 coverage-report:
 	@python3 scripts/coverage-check.py
 
-.PHONY: clean check check-main check-ieee754 check-nan check-aes check-ubsan check-asan check-strict-aliasing check-uninit check-macros check-differential generate-golden coverage-report indent ieee754 nan aes
+# Fuzzing configuration
+FUZZ_EXEC = tests/fuzz
+FUZZ_TIME ?= 90
+FUZZ_ARGS ?=
+FUZZ_CORPUS ?= fuzz_corpus
+
+# Detect if clang is available for fuzzing (libFuzzer requires clang)
+FUZZ_CXX := $(shell command -v clang++ 2>/dev/null)
+
+# Fuzzer build flags
+# Note: libFuzzer is built into clang on Linux but may require separate
+# installation on macOS (install via: brew install llvm)
+FUZZ_CXXFLAGS = -g -O1 -fsanitize=fuzzer,address,undefined -fno-omit-frame-pointer
+# Enable crypto extensions for AES and CLMUL testing on AArch64
+FUZZ_ARCH_FLAGS := $(ARCH_CFLAGS)
+ifeq ($(processor),$(filter $(processor),aarch64 arm64))
+FUZZ_ARCH_FLAGS := -march=armv8-a+fp+simd+crypto+crc
+endif
+FUZZ_CXXFLAGS += -Wall -Wno-unused-function -I. $(FUZZ_ARCH_FLAGS) -std=gnu++14
+
+# On macOS, prefer Homebrew LLVM if available (has libFuzzer built-in)
+UNAME_S := $(shell uname -s)
+ifeq ($(UNAME_S),Darwin)
+HOMEBREW_LLVM_DIR := $(shell \
+    if [ -d /opt/homebrew/opt/llvm ]; then echo /opt/homebrew/opt/llvm; \
+    elif [ -d /usr/local/opt/llvm ]; then echo /usr/local/opt/llvm; \
+    fi)
+ifneq ($(HOMEBREW_LLVM_DIR),)
+FUZZ_CXX := $(HOMEBREW_LLVM_DIR)/bin/clang++
+# Use Homebrew LLVM's libc++ to avoid ABI mismatch with libFuzzer
+FUZZ_CXXFLAGS += -L$(HOMEBREW_LLVM_DIR)/lib/c++ -Wl,-rpath,$(HOMEBREW_LLVM_DIR)/lib/c++
+FUZZ_CXXFLAGS += -L$(HOMEBREW_LLVM_DIR)/lib -Wl,-rpath,$(HOMEBREW_LLVM_DIR)/lib
+endif
+endif
+
+# Build the fuzzer binary
+$(FUZZ_EXEC): tests/fuzz.cpp sse2neon.h
+	@if [ -z "$(FUZZ_CXX)" ]; then \
+		echo "Error: clang++ is required for fuzzing (libFuzzer support)"; \
+		echo "On macOS: brew install llvm"; \
+		echo "On Linux: apt install clang (or equivalent)"; \
+		exit 1; \
+	fi
+	@echo "Building fuzzer with: $(FUZZ_CXX)"
+	$(FUZZ_CXX) $(FUZZ_CXXFLAGS) -o $@ tests/fuzz.cpp || { \
+		echo ""; \
+		echo "Build failed. If libFuzzer is missing:"; \
+		echo "  macOS: brew install llvm"; \
+		echo "  Linux: Should work with clang 11+"; \
+		exit 1; \
+	}
+
+# Run fuzzer with progress bar (interactive mode)
+# Usage: make fuzz [FUZZ_TIME=60] [FUZZ_ARGS="-max_len=1024"]
+fuzz: $(FUZZ_EXEC)
+	@mkdir -p $(FUZZ_CORPUS)
+	./scripts/fuzz-progress.sh $(FUZZ_EXEC) $(FUZZ_TIME) $(FUZZ_CORPUS) $(FUZZ_ARGS)
+
+# Run fuzzer in verbose mode (raw libFuzzer output)
+# Useful for debugging or CI/CD environments
+fuzz-verbose: $(FUZZ_EXEC)
+	@mkdir -p $(FUZZ_CORPUS)
+	$(FUZZ_EXEC) -max_total_time=$(FUZZ_TIME) $(FUZZ_CORPUS) $(FUZZ_ARGS)
+
+# Clean fuzzer artifacts
+fuzz-clean:
+	$(RM) $(FUZZ_EXEC)
+	$(RM) -r $(FUZZ_CORPUS)
+	$(RM) crash-* leak-* timeout-* oom-*
+
+.PHONY: clean check check-main check-ieee754 check-nan check-aes check-ubsan check-asan check-strict-aliasing check-uninit check-macros check-differential generate-golden coverage-report indent ieee754 nan aes fuzz fuzz-verbose fuzz-clean
 clean:
 	$(RM) $(OBJS) $(EXEC) $(deps) sse2neon.h.gch
 	$(RM) $(IEEE754_OBJS) $(IEEE754_EXEC) $(ieee754_deps)
 	$(RM) $(NAN_OBJS) $(NAN_EXEC) $(nan_deps)
 	$(RM) $(AES_OBJS) $(AES_EXEC) $(aes_deps)
 	$(RM) $(DIFFERENTIAL_OBJS) $(DIFFERENTIAL_EXEC) $(differential_deps)
+	$(RM) $(FUZZ_EXEC)
 
 -include $(deps)
 -include $(ieee754_deps)

scripts/fuzz-progress.sh

@@ -0,0 +1,209 @@
+#!/usr/bin/env bash
+
+# Progress bar wrapper for libFuzzer
+# Usage: ./scripts/fuzz-progress.sh <fuzzer_binary> <max_time_seconds> [fuzzer_args...]
+#
+# Features:
+# - Visual progress bar using Unicode block characters
+# - Real-time metrics (coverage, corpus size, exec/s)
+# - Automatic quiet mode in CI/CD environments
+# - Elapsed/remaining time display
+#
+# CI/CD Detection:
+# - Set CI=true, GITHUB_ACTIONS=true, or JENKINS_URL to enable quiet mode
+# - Or run with FUZZ_QUIET=1 to force quiet mode
+
+set -e
+
+# Check arguments
+if [ $# -lt 2 ]; then
+	echo "Usage: $0 <fuzzer_binary> <max_time_seconds> [fuzzer_args...]"
+	echo "Example: $0 tests/fuzz 60 -max_len=1024"
+	exit 1
+fi
+
+FUZZER="$1"
+MAX_TIME="$2"
+shift 2
+
+# Validate MAX_TIME is a positive integer
+if ! [[ "$MAX_TIME" =~ ^[0-9]+$ ]] || [ "$MAX_TIME" -eq 0 ]; then
+	echo "Error: max_time_seconds must be a positive integer (got: '$MAX_TIME')"
+	exit 1
+fi
+
+# Remaining arguments are passed to fuzzer (use array to handle spaces)
+FUZZER_ARGS=("$@")
+
+# Detect CI/CD environment
+is_ci() {
+	[ -n "$CI" ] || [ -n "$GITHUB_ACTIONS" ] || [ -n "$JENKINS_URL" ] ||
+		[ -n "$GITLAB_CI" ] || [ -n "$CIRCLECI" ] || [ -n "$TRAVIS" ] ||
+		[ -n "$FUZZ_QUIET" ]
+}
+
+# ANSI color codes
+if [ -t 1 ] && ! is_ci; then
+	COLOR_GREEN="\033[32m"
+	COLOR_YELLOW="\033[33m"
+	COLOR_CYAN="\033[36m"
+	COLOR_BOLD="\033[1m"
+	COLOR_RESET="\033[0m"
+	CLEAR_LINE="\033[2K\r"
+else
+	COLOR_GREEN=""
+	COLOR_YELLOW=""
+	COLOR_CYAN=""
+	COLOR_BOLD=""
+	COLOR_RESET=""
+	CLEAR_LINE=""
+fi
+
+# Progress bar configuration
+BAR_WIDTH=30
+
+# Draw progress bar
+draw_progress_bar() {
+	local percentage=$1
+	local filled=$((percentage * BAR_WIDTH / 100))
+	local empty=$((BAR_WIDTH - filled))
+
+	printf "${COLOR_CYAN}"
+	for ((i = 0; i < filled; i++)); do printf "█"; done
+	for ((i = 0; i < empty; i++)); do printf "░"; done
+	printf "${COLOR_RESET}"
+}
+
+# Format time as MM:SS
+format_time() {
+	local seconds=$1
+	printf "%02d:%02d" $((seconds / 60)) $((seconds % 60))
+}
+
+# Parse libFuzzer output and extract metrics
+parse_metrics() {
+	local line="$1"
+
+	# Extract coverage (cov: or NEW: lines contain coverage info)
+	if [[ "$line" =~ cov:\ *([0-9]+) ]]; then
+		echo "cov=${BASH_REMATCH[1]}"
+	fi
+
+	# Extract corpus size
+	if [[ "$line" =~ corp:\ *([0-9]+) ]]; then
+		echo "corp=${BASH_REMATCH[1]}"
+	fi
+
+	# Extract exec/s
+	if [[ "$line" =~ exec/s:\ *([0-9]+) ]]; then
+		echo "execs=${BASH_REMATCH[1]}"
+	fi
+
+	# Detect special events
+	if [[ "$line" =~ (BINGO|ERROR|CRASH|TIMEOUT|SUMMARY) ]]; then
+		echo "event=${BASH_REMATCH[1]}"
+	fi
+}
+
+# Main progress display function
+run_with_progress() {
+	local start_time=$(date +%s)
+	local coverage=0
+	local corpus=0
+	local execs=0
+	local last_event=""
+
+	# Create temporary file for fuzzer output
+	local tmpfile=$(mktemp)
+	trap "rm -f $tmpfile" EXIT
+
+	# Start fuzzer in background
+	"$FUZZER" -max_total_time="$MAX_TIME" "${FUZZER_ARGS[@]}" 2>&1 | tee "$tmpfile" |
+		while IFS= read -r line; do
+			# Parse metrics from line
+			metrics=$(parse_metrics "$line")
+
+			for metric in $metrics; do
+				case "$metric" in
+				cov=*) coverage="${metric#cov=}" ;;
+				corp=*) corpus="${metric#corp=}" ;;
+				execs=*) execs="${metric#execs=}" ;;
+				event=*) last_event="${metric#event=}" ;;
+				esac
+			done
+
+			# Calculate timing
+			local now=$(date +%s)
+			local elapsed=$((now - start_time))
+			local remaining=$((MAX_TIME - elapsed))
+			if [ $remaining -lt 0 ]; then remaining=0; fi
+
+			local percentage=$((elapsed * 100 / MAX_TIME))
+			if [ $percentage -gt 100 ]; then percentage=100; fi
+
+			# Display progress line
+			printf "${CLEAR_LINE}"
+			draw_progress_bar $percentage
+			printf " ${COLOR_BOLD}%3d%%${COLOR_RESET}" $percentage
+			printf " ${COLOR_GREEN}%s${COLOR_RESET}/%s" "$(format_time $elapsed)" "$(format_time $MAX_TIME)"
+			printf " ${COLOR_YELLOW}cov:%d${COLOR_RESET}" $coverage
+			printf " corp:%d" $corpus
+			printf " exec/s:%d" $execs
+
+			# Show special events
+			if [ -n "$last_event" ]; then
+				printf " ${COLOR_BOLD}[%s]${COLOR_RESET}" "$last_event"
+			fi
+		done
+
+	# Final newline
+	printf "\n"
+
+	# Check for crashes
+	if grep -q "SUMMARY.*: [1-9]" "$tmpfile" 2>/dev/null; then
+		echo ""
+		echo "${COLOR_BOLD}Fuzzing found issues. Check crash files in the current directory.${COLOR_RESET}"
+		return 1
+	fi
+
+	return 0
+}
+
+# Run in quiet mode (for CI/CD)
+run_quiet() {
+	echo "Running fuzzer for ${MAX_TIME}s (quiet mode)..."
+	"$FUZZER" -max_total_time="$MAX_TIME" "${FUZZER_ARGS[@]}"
+	local status=$?
+
+	if [ $status -eq 0 ]; then
+		echo "Fuzzing completed successfully."
+	else
+		echo "Fuzzing found issues (exit code: $status)."
+	fi
+
+	return $status
+}
+
+# Main entry point
+main() {
+	# Verify fuzzer exists
+	if [ ! -x "$FUZZER" ]; then
+		echo "Error: Fuzzer binary '$FUZZER' not found or not executable."
+		exit 1
+	fi
+
+	echo "sse2neon Fuzzer"
+	echo "==============="
+	echo "Binary: $FUZZER"
+	echo "Duration: ${MAX_TIME}s"
+	echo "Extra args: ${FUZZER_ARGS[*]:-none}"
+	echo ""
+
+	if is_ci; then
+		run_quiet
+	else
+		run_with_progress
+	fi
+}
+
+main