Add a fuzzing test

Author: mysterymath

libc/fuzzing/__support/CMakeLists.txt

@@ -23,3 +23,11 @@ add_libc_fuzzer(
   COMPILE_OPTIONS
     -D__LIBC_EXPLICIT_SIMD_OPT
 ) 
+
+add_libc_fuzzer(
+  freelist_heap_fuzz
+  SRCS
+    freelist_heap_fuzz.cpp
+  DEPENDS
+    libc.src.__support.freelist_heap
+)

libc/fuzzing/__support/freelist_heap_fuzz.cpp

@@ -0,0 +1,220 @@
+//===-- freelist_heap_fuzz.cpp --------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+///
+/// Fuzzing test for llvm-libc freelist-based heap implementation.
+///
+//===----------------------------------------------------------------------===//
+
+#include "src/__support/CPP/bit.h"
+#include "src/__support/CPP/optional.h"
+#include "src/__support/freelist_heap.h"
+#include "src/string/memory_utils/inline_memcpy.h"
+#include "src/string/memory_utils/inline_memmove.h"
+#include "src/string/memory_utils/inline_memset.h"
+
+using namespace LIBC_NAMESPACE;
+
+struct Alloc {
+  void *ptr;
+  size_t size;
+  size_t alignment;
+  uint8_t canary;
+};
+
+class AllocVec {
+public:
+  AllocVec(FreeListHeap &heap) : heap(&heap), size_(0), capacity(0) {
+    allocs = nullptr;
+  }
+
+  bool empty() const { return !size_; }
+
+  size_t size() const { return size_; }
+
+  bool push_back(Alloc alloc) {
+    if (size_ == capacity) {
+      size_t new_cap = capacity ? capacity * 2 : 1;
+      Alloc *new_allocs = reinterpret_cast<Alloc *>(
+          heap->realloc(allocs, new_cap * sizeof(Alloc)));
+      if (!new_allocs)
+        return false;
+      allocs = new_allocs;
+      capacity = new_cap;
+    }
+    allocs[size_++] = alloc;
+    return true;
+  }
+
+  Alloc &operator[](size_t idx) { return allocs[idx]; }
+
+  void erase_idx(size_t idx) {
+    inline_memmove(&allocs[idx], &allocs[idx + 1],
+                   sizeof(Alloc) * (size_ - idx - 1));
+    --size_;
+  }
+
+private:
+  FreeListHeap *heap;
+  Alloc *allocs;
+  size_t size_;
+  size_t capacity;
+};
+
+// Choose a T value by casting libfuzzer data or exit.
+template <typename T>
+cpp::optional<T> choose(const uint8_t *&data, size_t &remainder) {
+  if (sizeof(T) > remainder)
+    return cpp::nullopt;
+  T out;
+  inline_memcpy(&out, data, sizeof(T));
+  data += sizeof(T);
+  remainder -= sizeof(T);
+  return out;
+}
+
+enum class AllocType : uint8_t {
+  MALLOC,
+  ALIGNED_ALLOC,
+  REALLOC,
+  CALLOC,
+  NUM_ALLOC_TYPES,
+};
+
+template <>
+cpp::optional<AllocType> choose<AllocType>(const uint8_t *&data,
+                                           size_t &remainder) {
+  auto raw = choose<uint8_t>(data, remainder);
+  if (!raw)
+    return cpp::nullopt;
+  return static_cast<AllocType>(
+      *raw % static_cast<uint8_t>(AllocType::NUM_ALLOC_TYPES));
+}
+
+constexpr size_t heap_size = 64 * 1024;
+
+cpp::optional<size_t> choose_size(const uint8_t *&data, size_t &remainder) {
+  auto raw = choose<uint8_t>(data, remainder);
+  if (!raw)
+    return cpp::nullopt;
+  return *raw % heap_size;
+}
+
+cpp::optional<size_t> choose_alloc_idx(const AllocVec &allocs,
+                                       const uint8_t *&data,
+                                       size_t &remainder) {
+  if (allocs.empty())
+    return cpp::nullopt;
+  auto raw = choose<size_t>(data, remainder);
+  if (!raw)
+    return cpp::nullopt;
+  return *raw % allocs.size();
+}
+
+#define ASSIGN_OR_RETURN(TYPE, NAME, EXPR)                                     \
+  auto maybe_##NAME = EXPR;                                                    \
+  if (!maybe_##NAME)                                                           \
+    return 0;                                                                  \
+  TYPE NAME = *maybe_##NAME
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t remainder) {
+  FreeListHeapBuffer<heap_size> heap;
+  AllocVec allocs(heap);
+
+  uint8_t canary = 0;
+  while (true) {
+    ASSIGN_OR_RETURN(auto, should_alloc, choose<bool>(data, remainder));
+    if (should_alloc) {
+      ASSIGN_OR_RETURN(auto, alloc_type, choose<AllocType>(data, remainder));
+      ASSIGN_OR_RETURN(size_t, alloc_size, choose_size(data, remainder));
+
+      // Perform allocation.
+      void *ptr = nullptr;
+      size_t alignment = alignof(max_align_t);
+      switch (alloc_type) {
+      case AllocType::MALLOC:
+        ptr = heap.allocate(alloc_size);
+        break;
+      case AllocType::ALIGNED_ALLOC: {
+        ASSIGN_OR_RETURN(size_t, alignment, choose_size(data, remainder));
+        alignment = cpp::bit_ceil(alignment);
+        ptr = heap.aligned_allocate(alignment, alloc_size);
+        break;
+      }
+      case AllocType::REALLOC: {
+        if (!alloc_size)
+          return 0;
+        ASSIGN_OR_RETURN(size_t, idx,
+                         choose_alloc_idx(allocs, data, remainder));
+        Alloc &alloc = allocs[idx];
+        ptr = heap.realloc(alloc.ptr, alloc_size);
+        if (ptr) {
+          // Extend the canary region if necessary.
+          if (alloc_size > alloc.size)
+            inline_memset(static_cast<char *>(ptr) + alloc.size, alloc.canary,
+                          alloc_size - alloc.size);
+          alloc.ptr = ptr;
+          alloc.size = alloc_size;
+          alloc.alignment = alignof(max_align_t);
+        }
+        break;
+      }
+      case AllocType::CALLOC: {
+        ASSIGN_OR_RETURN(size_t, count, choose_size(data, remainder));
+        size_t total;
+        if (__builtin_mul_overflow(count, alloc_size, &total))
+          return 0;
+        ptr = heap.calloc(count, alloc_size);
+        if (ptr)
+          for (size_t i = 0; i < total; ++i)
+            if (static_cast<char *>(ptr)[i] != 0)
+              __builtin_trap();
+        break;
+      }
+      case AllocType::NUM_ALLOC_TYPES:
+        __builtin_unreachable();
+      }
+
+      if (ptr) {
+        if (alignment < alignof(max_align_t))
+          alignment = alignof(max_align_t);
+        // Check alignment.
+        if (reinterpret_cast<uintptr_t>(ptr) % alignment)
+          __builtin_trap();
+
+        if (alloc_type != AllocType::REALLOC) {
+          // Fill the object with a canary byte.
+          inline_memset(ptr, canary, alloc_size);
+
+          // Track the allocation.
+          if (!allocs.push_back({ptr, alloc_size, alignment, canary}))
+            return 0;
+          ++canary;
+        }
+      }
+    } else {
+      // Select a random allocation.
+      ASSIGN_OR_RETURN(size_t, idx, choose_alloc_idx(allocs, data, remainder));
+      Alloc &alloc = allocs[idx];
+
+      // Check alignment.
+      if (reinterpret_cast<uintptr_t>(alloc.ptr) % alloc.alignment)
+        __builtin_trap();
+
+      // Check the canary.
+      uint8_t *ptr = reinterpret_cast<uint8_t *>(alloc.ptr);
+      for (size_t i = 0; i < alloc.size; ++i)
+        if (ptr[i] != alloc.canary)
+          __builtin_trap();
+
+      // Free the allocation and untrack it.
+      heap.free(alloc.ptr);
+      allocs.erase_idx(idx);
+    }
+  }
+  return 0;
+}

libc/src/__support/block.h

@@ -217,14 +217,11 @@ class Block {
 
   /// Attempts to split this block.
   ///
-  /// If successful, the block will have an inner size of `new_inner_size`,
-  /// rounded to ensure that the split point is on an ALIGNMENT boundary. The
-  /// remaining space will be returned as a new block. Note that the prev_ field
-  /// of the next block counts as part of the inner size of the returnd block.
-  ///
-  /// This method may fail if the remaining space is too small to hold a new
-  /// block. If this method fails for any reason, the original block is
-  /// unmodified.
+  /// If successful, the block will have an inner size of at least
+  /// `new_inner_size`, rounded to ensure that the split point is on an
+  /// ALIGNMENT boundary. The remaining space will be returned as a new block.
+  /// Note that the prev_ field of the next block counts as part of the inner
+  /// size of the returnd block.
   optional<Block *> split(size_t new_inner_size);
 
   /// Merges this block with the one that comes after it.
@@ -458,7 +455,7 @@ Block<OffsetType, kAlign>::split(size_t new_inner_size) {
   // The prev_ field of the next block is always available, so there is a
   // minimum size to a block created through splitting.
   if (new_inner_size < sizeof(prev_))
-    return {};
+    new_inner_size = sizeof(prev_);
 
   size_t old_inner_size = inner_size();
   new_inner_size =

libc/src/__support/freelist_heap.h

@@ -17,6 +17,7 @@
 #include "src/__support/CPP/span.h"
 #include "src/__support/libc_assert.h"
 #include "src/__support/macros/config.h"
+#include "src/__support/math_extras.h"
 #include "src/string/memory_utils/inline_memcpy.h"
 #include "src/string/memory_utils/inline_memset.h"
 
@@ -90,7 +91,7 @@ LIBC_INLINE void *FreeListHeap::allocate_impl(size_t alignment, size_t size) {
 
   size_t request_size = size;
   if (alignment > alignof(max_align_t)) {
-    if (add_overflow(size, alignment - 1, size))
+    if (add_overflow(size, alignment - 1, request_size))
       return nullptr;
   }
 

libc/src/__support/freetrie.cpp

@@ -32,15 +32,19 @@ void FreeTrie::remove(Node *node) {
     new_node = leaf;
   }
 
+  if (!is_head(node))
+    return;
+
   // Copy the trie links to the new head.
   new_node->lower = node->lower;
   new_node->upper = node->upper;
   new_node->parent = node->parent;
   replace_node(node, new_node);
-  return;
 }
 
 void FreeTrie::replace_node(Node *node, Node *new_node) {
+  LIBC_ASSERT(is_head(node) && "only head nodes contain trie links");
+
   if (node->parent) {
     Node *&parent_child =
         node->parent->lower == node ? node->parent->lower : node->parent->upper;

libc/src/__support/freetrie.h

@@ -38,17 +38,20 @@ namespace LIBC_NAMESPACE_DECL {
 /// The trie refers to, but does not own, the Nodes that comprise it.
 class FreeTrie {
 public:
-  /// A trie node that is also a free list. The subtrie contains a continous
-  /// SizeRange of free lists. The lower and upper subtrie's contain the lower
-  /// and upper half of the subtries range. There is no direct relationship
-  /// between the size of this node's free list and the contents of the lower
-  /// and upper subtries.
+  /// A trie node that is also a free list. Only the head node of each list is
+  /// actually part of the trie. The subtrie contains a continous SizeRange of
+  /// free lists. The lower and upper subtrie's contain the lower and upper half
+  /// of the subtries range. There is no direct relationship between the size of
+  /// this node's free list and the contents of the lower and upper subtries.
   class Node : public FreeList::Node {
     /// The child subtrie covering the lower half of this subtrie's size range.
+    /// Undefined if this is not the head of the list.
     Node *lower;
     /// The child subtrie covering the upper half of this subtrie's size range.
+    /// Undefined if this is not the head of the list.
     Node *upper;
-    /// The parent subtrie or nullptr if this is the root.
+    /// The parent subtrie. nullptr if this is the root or not the head of the
+    /// list.
     Node *parent;
 
     friend class FreeTrie;
@@ -103,6 +106,9 @@ class FreeTrie {
   Node *find_best_fit(size_t size);
 
 private:
+  /// @returns Whether a node is the head of its containing freelist.
+  bool is_head(Node *node) const { return node->parent || node == root; }
+
   /// Replaces references to one node with another (or nullptr) in all adjacent
   /// parent and child nodes.
   void replace_node(Node *node, Node *new_node);
@@ -134,9 +140,13 @@ LIBC_INLINE void FreeTrie::push(Block<> *block) {
   }
 
   Node *node = new (block->usable_space()) Node;
-  node->lower = node->upper = nullptr;
-  node->parent = parent;
   FreeList list = *cur;
+  if (list.empty()) {
+    node->parent = parent;
+    node->lower = node->upper = nullptr;
+  } else {
+    node->parent = nullptr;
+  }
   list.push(node);
   *cur = static_cast<Node *>(list.begin());
 }

libc/test/src/__support/block_test.cpp

@@ -238,20 +238,6 @@ TEST_FOR_EACH_BLOCK_TYPE(CannotMakeSecondBlockLargerInSplit) {
   ASSERT_FALSE(result.has_value());
 }
 
-TEST_FOR_EACH_BLOCK_TYPE(CannotMakeZeroSizeFirstBlock) {
-  // This block doesn't support splitting with zero payload size, since the
-  // prev_ field of the next block is always available.
-  constexpr size_t kN = 1024;
-
-  alignas(BlockType::ALIGNMENT) array<byte, kN> bytes;
-  auto result = BlockType::init(bytes);
-  ASSERT_TRUE(result.has_value());
-  BlockType *block = *result;
-
-  result = block->split(0);
-  EXPECT_FALSE(result.has_value());
-}
-
 TEST_FOR_EACH_BLOCK_TYPE(CanMakeMinimalSizeFirstBlock) {
   // This block does support splitting with minimal payload size.
   constexpr size_t kN = 1024;