Support for arbitrary data types

Not efficient[1], but that mostly needs work on the arbitrary crate, as
opposed to work on libfuzzer-sys.

[1]: fuzzing struggles with e.g.

    fuzz_target!(|data: String| { if data == "banana" { panic!() } });

and takes quite a while to find an input that fails the check (compared
to fuzzing against raw bytes). It seems to me that to take full
advantage of fuzzing structured data, one would have to adjust libFuzzer
somehow or, perhaps, rewrite libFuzzer in rust having precisely
structured fuzzing in mind.

Author: nagisa

.travis.yml

@@ -12,5 +12,8 @@ notifications:
   email: false
 script:
   - cd example
-  - cargo rustc -- -C passes='sancov' -C llvm-args='-sanitizer-coverage-level=3' -Z sanitizer=address
-  - (! ./target/debug/example)
+  - cargo rustc --release -- -C passes='sancov' -C llvm-args='-sanitizer-coverage-level=4' -Z sanitizer=address
+  - (! ./target/release/example -runs=100000)
+  - cd ../example_arbitrary
+  - cargo rustc --release -- -C passes='sancov' -C llvm-args='-sanitizer-coverage-level=4' -Z sanitizer=address
+  - (! ./target/release/example -runs=10000000)

Cargo.toml

@@ -12,6 +12,7 @@ license = "MIT/Apache-2.0/NCSA"
 members = ["."]
 
 [dependencies]
+arbitrary = "0.1"
 
 [build-dependencies]
 gcc = "0.3"

example/src/main.rs

@@ -3,8 +3,8 @@
 #[macro_use]
 extern crate libfuzzer_sys;
 
-fuzz_target!(|data| {
-    if data == b"banana" {
+fuzz_target!(|data: &[u8]| {
+    if data == b"banana!" {
         panic!("success!");
     }
 });

example_arbitrary/Cargo.toml

@@ -0,0 +1,11 @@
+[package]
+name = "example"
+version = "0.1.0"
+authors = ["Simonas Kazlauskas <[email protected]>"]
+
+[workspace]
+members = ["."]
+
+[dependencies]
+libfuzzer-sys = { path = ".." }
+arbitrary = "0.1"

example_arbitrary/src/main.rs

@@ -0,0 +1,10 @@
+#![no_main]
+
+#[macro_use]
+extern crate libfuzzer_sys;
+
+fuzz_target!(|data: u16| {
+    if data == 0xba7 { // ba[nana]
+        panic!("success!");
+    }
+});

src/lib.rs

@@ -1,5 +1,3 @@
-#![feature(process_abort)]
-
 extern "C" {
     #![allow(improper_ctypes)] // we do not actually cross the FFI bound here
 
@@ -23,10 +21,24 @@ macro_rules! fuzz_target {
             $body
         }
     };
-    (|$bytes:ident: &[u8]| $body:block) => {
+    (|$data:ident: &[u8]| $body:block) => {
+        fuzz_target!(|$data| $body);
+    };
+    (|$data:ident: $dty: ty| $body:block) => {
+        extern crate arbitrary;
+
         #[no_mangle]
-        pub extern fn rust_fuzzer_test_input($bytes: &[u8]) {
+        pub extern fn rust_fuzzer_test_input(bytes: &[u8]) {
+            use arbitrary::{Arbitrary, RingBuffer};
+
+            let $data: $dty = if let Ok(d) = RingBuffer::new(bytes, bytes.len()).and_then(|mut b|{
+                Arbitrary::arbitrary(&mut b).map_err(|_| "")
+            }) {
+                d
+            } else {
+                return
+            };
             $body
         }
-    }
+    };
 }