tests/lapi: add string tests

The patch adds a fuzzing tests for Lua string functions.

Author: ligurio

tests/lapi/lib.lua

@@ -43,10 +43,33 @@ local function random_number(fdp)
     return math.floor(num)
 end
 
+local function oneof(fdp, tbl)
+    assert(type(tbl) == "table")
+    assert(next(tbl) ~= nil)
+
+    local n = table.getn(tbl)
+    local idx = fdp:consume_integer(1, n)
+    return tbl[idx], idx
+end
+
+local function random_locale(fdp)
+    local locales = {}
+    local locale_it = io.popen("locale -a"):read("*a"):gmatch("([^\n]*)\n?")
+    for locale in locale_it do
+        table.insert(locales, locale)
+    end
+
+    return oneof(fdp, locales)
+end
+
 return {
     -- FDP.
     random_number = random_number,
+    random_locale = random_locale,
 
+    oneof = oneof,
     version = version,
     bitwise_op = bitwise_op,
+
+    MAX_INT = 2^51,
 }

tests/lapi/string_byte_test.lua

@@ -0,0 +1,36 @@
+--[[
+SPDX-License-Identifier: ISC
+Copyright (c) 2023-2025, Sergey Bronnikov.
+
+6.4 – String Manipulation
+https://www.lua.org/manual/5.3/manual.html#6.4
+
+string.byte gets confused with some out-of-range negative indices,
+https://www.lua.org/bugs.html#5.1.3-9
+]]
+
+-- Synopsis: string.byte (s [, i [, j]])
+
+local luzer = require("luzer")
+local test_lib = require("lib")
+
+local function TestOneInput(buf, _size)
+    local fdp = luzer.FuzzedDataProvider(buf)
+    os.setlocale(test_lib.random_locale(fdp), "all")
+    local len = fdp:consume_integer(0, test_lib.MAX_INT)
+    local b = fdp:consume_string(len)
+    local char_code = string.byte(b)
+    if char_code then
+        assert(type(char_code) == "number")
+        local byte = string.char(char_code)
+        assert(byte)
+        -- FIXME
+        -- assert(byte == b)
+    end
+end
+
+local args = {
+    max_len = 4096,
+    artifact_prefix = "string_byte_",
+}
+luzer.Fuzz(TestOneInput, nil, args)

tests/lapi/string_char_test.lua

@@ -0,0 +1,31 @@
+--[[
+SPDX-License-Identifier: ISC
+Copyright (c) 2023-2025, Sergey Bronnikov.
+
+6.4 – String Manipulation
+https://www.lua.org/manual/5.3/manual.html#6.4
+
+string.char bug,
+https://github.com/LuaJIT/LuaJIT/issues/375
+
+Fix string.char() recording with no arguments,
+https://github.com/LuaJIT/LuaJIT/commit/dfa692b7
+
+Synopsis: string.char (···)
+]]
+
+local luzer = require("luzer")
+local test_lib = require("lib")
+
+local function TestOneInput(buf, _size)
+    local fdp = luzer.FuzzedDataProvider(buf)
+    os.setlocale(test_lib.random_locale(fdp), "all")
+    local c = fdp:consume_integer(0, test_lib.MAX_INT)
+    string.char(c)
+end
+
+local args = {
+    max_len = 4096,
+    artifact_prefix = "string_char_",
+}
+luzer.Fuzz(TestOneInput, nil, args)

tests/lapi/string_dump_test.lua

@@ -0,0 +1,32 @@
+--[[
+SPDX-License-Identifier: ISC
+Copyright (c) 2023-2025, Sergey Bronnikov.
+
+6.4 – String Manipulation
+https://www.lua.org/manual/5.3/manual.html#6.4
+
+string.dump(table.foreach) will trigger an assert,
+https://github.com/LuaJIT/LuaJIT/issues/1038
+
+An emergency collection when handling an error while loading the upvalues of a function can cause a segfault,
+https://github.com/lua/lua/commit/422ce50d2e8856ed789d1359c673122dbb0088ea
+
+Synopsis: string.dump (function [, strip])
+]]
+
+local luzer = require("luzer")
+local test_lib = require("lib")
+
+local function TestOneInput(buf, _size)
+    local fdp = luzer.FuzzedDataProvider(buf)
+    os.setlocale(test_lib.random_locale(fdp), "all")
+    local len = fdp:consume_integer(0, test_lib.MAX_INT)
+    local str = fdp:consume_string(len)
+    loadstring(string.dump(function() return str end))
+end
+
+local args = {
+    max_len = 4096,
+    artifact_prefix = "string_dump_",
+}
+luzer.Fuzz(TestOneInput, nil, args)

tests/lapi/string_find_test.lua

@@ -0,0 +1,41 @@
+--[[
+SPDX-License-Identifier: ISC
+Copyright (c) 2023-2025, Sergey Bronnikov.
+
+6.4 – String Manipulation
+https://www.lua.org/manual/5.3/manual.html#6.4
+
+Bug in "Don't use STRREF for pointer diff in string.find().",
+https://github.com/LuaJIT/LuaJIT/issues/540
+
+Some patterns can overflow the C stack, due to recursion,
+https://www.lua.org/bugs.html#5.2.1-1
+
+Properly fix pointer diff in string.find(),
+https://github.com/LuaJIT/LuaJIT/commit/0bee44c9
+]]
+
+-- Synopsis: string.find (s, pattern [, init [, plain]])
+
+local luzer = require("luzer")
+local test_lib = require("lib")
+
+local function TestOneInput(buf, _size)
+    local fdp = luzer.FuzzedDataProvider(buf)
+    os.setlocale(test_lib.random_locale(fdp), "all")
+    local len1 = fdp:consume_integer(0, test_lib.MAX_INT)
+    local len2 = fdp:consume_integer(0, test_lib.MAX_INT)
+    local str1 = fdp:consume_string(len1)
+    local str2 = fdp:consume_string(len2)
+    -- FIXME
+    local str = string.format("%s - %s", str1, str2)
+    local begin_pos, end_pos = str:find(str1)
+    assert(begin_pos == 1)
+    assert(end_pos == #str1)
+end
+
+local args = {
+    max_len = 4096,
+    artifact_prefix = "string_find_",
+}
+luzer.Fuzz(TestOneInput, nil, args)

tests/lapi/string_format_test.lua

@@ -0,0 +1,66 @@
+--[[
+SPDX-License-Identifier: ISC
+Copyright (c) 2023-2025, Sergey Bronnikov.
+
+6.4 – String Manipulation
+https://www.lua.org/manual/5.3/manual.html#6.4
+
+stack-buffer-overflow in lj_strfmt_wfnum,
+https://github.com/LuaJIT/LuaJIT/issues/1149
+string.format("%7g",0x1.144399609d407p+401)
+
+string.format %c bug,
+https://github.com/LuaJIT/LuaJIT/issues/378
+
+string.format doesn't take current locale decimal separator into account,
+https://github.com/LuaJIT/LuaJIT/issues/673
+
+string.format("%f") can cause a buffer overflow (only when
+'lua_Number' is long double!),
+https://www.lua.org/bugs.html#5.3.0-1
+
+string.format may get buffer as an argument when there are missing
+arguments and format string is too long,
+https://www.lua.org/bugs.html#5.1.4-7
+
+string.format("%") may read past the string,
+https://www.lua.org/bugs.html#5.1.1-3
+
+Option '%q' in string.formatE does not handle '\r' correctly,
+https://www.lua.org/bugs.html#5.1-4
+
+FFI: Support FFI numbers in string.format() and buf:putf(),
+https://github.com/LuaJIT/LuaJIT/commit/1b7171c3
+
+[0014] CRASH detected in lj_ir_kgc due to a fault at or
+near 0x00007ff7f3274008 leading to SIGSEGV,
+https://github.com/LuaJIT/LuaJIT/issues/1203
+
+Synopsis: string.format (formatstring, ···)
+]]
+
+-- q: booleans, nil, numbers, and strings.
+-- A, a, E, e, f, G, and g: number.
+-- c, d, i, o, u, X, and x: integer.
+-- A and a (hexadecimal floats) do not support modifiers.
+-- s: string
+-- p: pointer returned by lua_topointer
+
+local luzer = require("luzer")
+local test_lib = require("lib")
+
+local function TestOneInput(buf, _size)
+    local fdp = luzer.FuzzedDataProvider(buf)
+    os.setlocale(test_lib.random_locale(fdp), "all")
+    local len = fdp:consume_number(0, test_lib.MAX_INT)
+    local formatstring = fdp:consume_string(len)
+    local values = {} -- FIXME
+    assert((formatstring):format(unpack(values)) ==
+           string.format(formatstring, unpack(values)))
+end
+
+local args = {
+    max_len = 4096,
+    artifact_prefix = "string_format_",
+}
+luzer.Fuzz(TestOneInput, nil, args)

tests/lapi/string_gmatch_test.lua

@@ -0,0 +1,34 @@
+--[[
+SPDX-License-Identifier: ISC
+Copyright (c) 2023-2025, Sergey Bronnikov.
+
+6.4 – String Manipulation
+https://www.lua.org/manual/5.3/manual.html#6.4
+
+GC64: string.gmatch crash,
+https://github.com/LuaJIT/LuaJIT/issues/300
+
+gmatch iterator fails when called from a coroutine different from
+the one that created it,
+https://www.lua.org/bugs.html#5.3.2-3
+
+Synopsis: string.gmatch (s, pattern [, init])
+]]
+
+local luzer = require("luzer")
+local test_lib = require("lib")
+
+local function TestOneInput(buf, _size)
+    local fdp = luzer.FuzzedDataProvider(buf)
+    os.setlocale(test_lib.random_locale(fdp), "all")
+    local len = fdp:consume_integer(0, test_lib.MAX_INT)
+    local str1 = fdp:consume_string(len)
+    local str2 = fdp:consume_string(len)
+    string.gmatch(str1, str2)
+end
+
+local args = {
+    max_len = 4096,
+    artifact_prefix = "string_gmatch_",
+}
+luzer.Fuzz(TestOneInput, nil, args)

tests/lapi/string_gsub_test.lua

@@ -0,0 +1,42 @@
+--[[
+SPDX-License-Identifier: ISC
+Copyright (c) 2023-2025, Sergey Bronnikov.
+
+6.4 – String Manipulation
+https://www.lua.org/manual/5.3/manual.html#6.4
+
+Performance issue for reg expression with "$",
+https://github.com/LuaJIT/LuaJIT/issues/118
+
+LuaJIT's gsub does not work with zero bytes in the pattern string,
+https://github.com/LuaJIT/LuaJIT/issues/860
+
+gsub may go wild when wrongly called without its third argument
+and with a large subject,
+https://www.lua.org/bugs.html#5.1.2-9
+
+Synopsis: string.gsub (s, pattern, repl [, n])
+]]
+
+local luzer = require("luzer")
+local test_lib = require("lib")
+
+local string_gsub = string.gsub
+
+local function TestOneInput(buf, _size)
+    local fdp = luzer.FuzzedDataProvider(buf)
+    local str = fdp:consume_string(0, test_lib.MAX_INT)
+    local pattern = fdp:consume_string(0, test_lib.MAX_INT)
+    local repl = fdp:consume_string(0, test_lib.MAX_INT)
+    local n = fdp:consume_integer(0, test_lib.MAX_INT)
+
+    os.setlocale(test_lib.random_locale(fdp), "all")
+    -- FIXME: malformed pattern (missing ']')
+    string_gsub(str, pattern, repl, n)
+end
+
+local args = {
+    max_len = 4096,
+    artifact_prefix = "string_gsub_",
+}
+luzer.Fuzz(TestOneInput, nil, args)

tests/lapi/string_len_test.lua

@@ -0,0 +1,26 @@
+--[[
+SPDX-License-Identifier: ISC
+Copyright (c) 2023-2025, Sergey Bronnikov.
+
+6.4 – String Manipulation
+https://www.lua.org/manual/5.3/manual.html#6.4
+
+Synopsis: string.len (s)
+]]
+
+local luzer = require("luzer")
+local test_lib = require("lib")
+
+local function TestOneInput(buf, _size)
+    local fdp = luzer.FuzzedDataProvider(buf)
+    os.setlocale(test_lib.random_locale(fdp), "all")
+    local str_len = fdp:consume_integer(0, test_lib.MAX_INT)
+    local str = fdp:consume_string(str_len)
+    assert(string.len(str) == #str)
+end
+
+local args = {
+    max_len = 4096,
+    artifact_prefix = "string_len_",
+}
+luzer.Fuzz(TestOneInput, nil, args)

tests/lapi/string_lower_test.lua

@@ -0,0 +1,26 @@
+--[[
+SPDX-License-Identifier: ISC
+Copyright (c) 2023-2025, Sergey Bronnikov.
+
+6.4 – String Manipulation
+https://www.lua.org/manual/5.3/manual.html#6.4
+
+Synopsis: string.lower (s)
+]]
+
+local luzer = require("luzer")
+local test_lib = require("lib")
+
+local function TestOneInput(buf, _)
+    local fdp = luzer.FuzzedDataProvider(buf)
+    os.setlocale(test_lib.random_locale(fdp), "all")
+    local ch_uppercase = string.char(fdp:consume_number(65, 65 + 25))
+    local ch = string.upper(string.lower(ch_uppercase))
+    assert(ch == ch_uppercase)
+end
+
+local args = {
+    max_len = 4096,
+    artifact_prefix = "string_lower_",
+}
+luzer.Fuzz(TestOneInput, nil, args)