Merge pull request #91 from alexcrichton/cargo-fuzz-in-ci

Manishearth · web-flow · commit 2ad33f886670 · 2022-03-03T10:23:14.000-08:00
Migrate to using `cargo fuzz` in CI
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -20,5 +20,7 @@ jobs:
         rustup component add rustfmt --toolchain stable
         cargo +stable fmt --all -- --check
 
+    - run: cargo install cargo-fuzz
+
     - name: Run tests
       run: ./ci/script.sh
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 target
 Cargo.lock
+corpus
diff --git a/Cargo.toml b/Cargo.toml
@@ -20,9 +20,9 @@ arbitrary-derive = ["arbitrary/derive"]
 
 [workspace]
 members = [
-  "./example",
-  "./example_arbitrary",
-  "./example_mutator",
+  "./example/fuzz",
+  "./example_arbitrary/fuzz",
+  "./example_mutator/fuzz",
 ]
 
 [dev-dependencies]
diff --git a/ci/script.sh b/ci/script.sh
@@ -8,56 +8,26 @@ export CARGO_TARGET_DIR=$(pwd)/target
 cargo test --doc
 
 pushd ./example
-cargo rustc \
-      --release \
-      -- \
-      -Ccodegen-units=1 \
-      -Cpasses=sancov-module \
-      -Cllvm-args=-sanitizer-coverage-level=3 \
-      -Cllvm-args=-sanitizer-coverage-trace-compares \
-      -Cllvm-args=-sanitizer-coverage-inline-8bit-counters \
-      -Cllvm-args=-sanitizer-coverage-stack-depth \
-      -Cllvm-args=-sanitizer-coverage-trace-geps \
-      -Cllvm-args=-sanitizer-coverage-prune-blocks=0 \
-      -Zsanitizer=address
-(! $CARGO_TARGET_DIR/release/example -runs=100000)
+cargo fuzz build
+cargo fuzz build  --dev
+(! cargo fuzz run bananas -- -runs=100000)
 popd
 
 pushd ./example_arbitrary
-cargo rustc \
-      --release \
-      -- \
-      -Ccodegen-units=1 \
-      -Cpasses=sancov-module \
-      -Cllvm-args=-sanitizer-coverage-level=3 \
-      -Cllvm-args=-sanitizer-coverage-trace-compares \
-      -Cllvm-args=-sanitizer-coverage-inline-8bit-counters \
-      -Cllvm-args=-sanitizer-coverage-stack-depth \
-      -Cllvm-args=-sanitizer-coverage-trace-geps \
-      -Cllvm-args=-sanitizer-coverage-prune-blocks=0 \
-      -Zsanitizer=address
-(! $CARGO_TARGET_DIR/release/example_arbitrary -runs=10000000)
+cargo fuzz build
+cargo fuzz build  --dev
+(! cargo fuzz run rgb -- -runs=10000000)
 RUST_LIBFUZZER_DEBUG_PATH=$(pwd)/debug_output \
-    $CARGO_TARGET_DIR/release/example_arbitrary \
-    $(ls ./crash-* | head -n 1)
+    cargo fuzz run rgb \
+    $(ls ./fuzz/artifacts/rgb/crash-* | head -n 1)
 cat $(pwd)/debug_output
 grep -q Rgb $(pwd)/debug_output
 popd
 
 pushd ./example_mutator
-cargo rustc \
-      --release \
-      -- \
-      -Ccodegen-units=1 \
-      -Cpasses=sancov-module \
-      -Cllvm-args=-sanitizer-coverage-level=3 \
-      -Cllvm-args=-sanitizer-coverage-trace-compares \
-      -Cllvm-args=-sanitizer-coverage-inline-8bit-counters \
-      -Cllvm-args=-sanitizer-coverage-stack-depth \
-      -Cllvm-args=-sanitizer-coverage-trace-geps \
-      -Cllvm-args=-sanitizer-coverage-prune-blocks=0 \
-      -Zsanitizer=address
-(! $CARGO_TARGET_DIR/release/example_mutator -runs=10000000)
+cargo fuzz build
+cargo fuzz build  --dev
+(! cargo fuzz run boom -- -runs=10000000)
 popd
 
 echo "All good!"
diff --git a/example/Cargo.toml b/example/Cargo.toml
@@ -1,8 +1,6 @@
 [package]
 name = "example"
 version = "0.1.0"
-authors = ["Simonas Kazlauskas <git@kazlauskas.me>"]
-edition = "2018"
+edition = "2021"
 
 [dependencies]
-libfuzzer-sys = { path = ".." }
diff --git a/example/fuzz/Cargo.toml b/example/fuzz/Cargo.toml
@@ -0,0 +1,16 @@
+[package]
+name = "example-fuzz"
+version = "0.1.0"
+authors = ["Simonas Kazlauskas <git@kazlauskas.me>"]
+edition = "2018"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = { path = "../.." }
+example = { path = ".." }
+
+[[bin]]
+name = "bananas"
+path = "fuzz_targets/bananas.rs"
diff --git a/example/fuzz/fuzz_targets/bananas.rs b/example/fuzz/fuzz_targets/bananas.rs
@@ -6,4 +6,5 @@ fuzz_target!(|data: &[u8]| {
     if data == "banana!".as_bytes() {
         panic!("success!");
     }
+    example::bananas(data);
 });
diff --git a/example/src/lib.rs b/example/src/lib.rs
@@ -0,0 +1,5 @@
+pub fn bananas(data: &[u8]) {
+    if data == &b"banana!"[..] {
+        panic!("success!");
+    }
+}
diff --git a/example_arbitrary/Cargo.toml b/example_arbitrary/Cargo.toml
@@ -4,5 +4,5 @@ version = "0.1.0"
 authors = ["Simonas Kazlauskas <git@kazlauskas.me>"]
 edition = "2018"
 
-[dependencies]
-libfuzzer-sys = { path = "..", features = ["arbitrary-derive"] }
+[target.'cfg(fuzzing)'.dependencies]
+arbitrary = "1"
diff --git a/example_arbitrary/fuzz/Cargo.toml b/example_arbitrary/fuzz/Cargo.toml
@@ -0,0 +1,16 @@
+[package]
+name = "example_arbitrary_fuzz"
+version = "0.1.0"
+authors = ["Simonas Kazlauskas <git@kazlauskas.me>"]
+edition = "2018"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = { path = "../..", features = ["arbitrary-derive"] }
+example_arbitrary = { path = ".." }
+
+[[bin]]
+name = "rgb"
+path = "fuzz_targets/rgb.rs"
diff --git a/example_arbitrary/fuzz/fuzz_targets/rgb.rs b/example_arbitrary/fuzz/fuzz_targets/rgb.rs
@@ -0,0 +1,7 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|rgb: example_arbitrary::Rgb| {
+    example_arbitrary::test(rgb);
+});
diff --git a/example_arbitrary/src/lib.rs b/example_arbitrary/src/lib.rs
@@ -1,18 +1,15 @@
-#![no_main]
-
-use libfuzzer_sys::{arbitrary, fuzz_target};
-
-#[derive(arbitrary::Arbitrary, Debug)]
-struct Rgb {
+#[derive(Debug)]
+#[cfg_attr(fuzzing, derive(arbitrary::Arbitrary))]
+pub struct Rgb {
     r: u8,
     g: u8,
     b: u8,
 }
 
-fuzz_target!(|rgb: Rgb| {
+pub fn test(rgb: Rgb) {
     if rgb.r < rgb.g {
         if rgb.g < rgb.b {
             panic!("success: r < g < b!");
         }
     }
-});
+}
diff --git a/example_mutator/Cargo.toml b/example_mutator/Cargo.toml
@@ -4,8 +4,5 @@ version = "0.1.0"
 authors = ["Nick Fitzgerald <fitzgen@gmail.com>"]
 edition = "2018"
 
-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
-
 [dependencies]
 flate2 = "1.0.20"
-libfuzzer-sys = { path = ".." }
diff --git a/example_mutator/fuzz/Cargo.toml b/example_mutator/fuzz/Cargo.toml
@@ -0,0 +1,16 @@
+[package]
+name = "example_mutator_fuzz"
+version = "0.1.0"
+authors = ["Nick Fitzgerald <fitzgen@gmail.com>"]
+edition = "2018"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+flate2 = "1.0.20"
+libfuzzer-sys = { path = "../.." }
+
+[[bin]]
+name = "boom"
+path = "fuzz_targets/boom.rs"
diff --git a/example_mutator/fuzz/fuzz_targets/boom.rs b/example_mutator/fuzz/fuzz_targets/boom.rs
diff --git a/example_mutator/fuzz/fuzz_targets/main.rs b/example_mutator/fuzz/fuzz_targets/main.rs
@@ -0,0 +1,50 @@
+#![no_main]
+
+use flate2::{read::GzDecoder, write::GzEncoder, Compression};
+use libfuzzer_sys::{fuzz_mutator, fuzz_target};
+use std::io::{Read, Write};
+
+fuzz_target!(|data: &[u8]| {
+    example_mutator::test(data);
+});
+
+fuzz_mutator!(
+    |data: &mut [u8], size: usize, max_size: usize, _seed: u32| {
+        // Decompress the input data. If that fails, use a dummy value.
+        let mut decompressed = decompress(&data[..size]).unwrap_or_else(|| b"hi".to_vec());
+
+        // Mutate the decompressed data with `libFuzzer`'s default mutator. Make
+        // the `decompressed` vec's extra capacity available for insertion
+        // mutations via `resize`.
+        let len = decompressed.len();
+        let cap = decompressed.capacity();
+        decompressed.resize(cap, 0);
+        let new_decompressed_size = libfuzzer_sys::fuzzer_mutate(&mut decompressed, len, cap);
+
+        // Recompress the mutated data.
+        let compressed = compress(&decompressed[..new_decompressed_size]);
+
+        // Copy the recompressed mutated data into `data` and return the new size.
+        let new_size = std::cmp::min(max_size, compressed.len());
+        data[..new_size].copy_from_slice(&compressed[..new_size]);
+        new_size
+    }
+);
+
+fn decompress(data: &[u8]) -> Option<Vec<u8>> {
+    let mut decoder = GzDecoder::new(data);
+    let mut decompressed = Vec::new();
+    if decoder.read_to_end(&mut decompressed).is_ok() {
+        Some(decompressed)
+    } else {
+        None
+    }
+}
+
+fn compress(data: &[u8]) -> Vec<u8> {
+    let mut encoder = GzEncoder::new(Vec::new(), Compression::default());
+    encoder
+        .write_all(data)
+        .expect("writing into a vec is infallible");
+    encoder.finish().expect("writing into a vec is infallible")
+}
diff --git a/example_mutator/src/lib.rs b/example_mutator/src/lib.rs
@@ -0,0 +1,20 @@
+use flate2::read::GzDecoder;
+use std::io::Read;
+
+pub fn test(data: &[u8]) {
+    if let Some(data) = decompress(data) {
+        if data.starts_with(b"boom") {
+            panic!();
+        }
+    }
+}
+
+fn decompress(data: &[u8]) -> Option<Vec<u8>> {
+    let mut decoder = GzDecoder::new(data);
+    let mut decompressed = Vec::new();
+    if decoder.read_to_end(&mut decompressed).is_ok() {
+        Some(decompressed)
+    } else {
+        None
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`target`
`2`	`2`	`Cargo.lock`
	`3`	`+corpus`
Original file line number	Diff line number	Diff line change
`@@ -6,4 +6,5 @@ fuzz_target!(\|data: &[u8]\| {`
`6`	`6`	`if data == "banana!".as_bytes() {`
`7`	`7`	`panic!("success!");`
`8`	`8`	`}`
	`9`	`+ example::bananas(data);`
`9`	`10`	`});`