Merge pull request #26 from rust-fuzz/arbitrary

Manishearth · web-flow · commit bcaa8e1c4ee3 · 2017-05-19T14:19:18.000-07:00
Support for arbitrary data types
diff --git a/.travis.yml b/.travis.yml
@@ -12,5 +12,8 @@ notifications:
   email: false
 script:
   - cd example
-  - cargo rustc -- -C passes='sancov' -C llvm-args='-sanitizer-coverage-level=3' -Z sanitizer=address
-  - (! ./target/debug/example)
+  - cargo rustc --release -- -C passes='sancov' -C llvm-args='-sanitizer-coverage-level=4' -Z sanitizer=address
+  - (! ./target/release/example -runs=100000)
+  - cd ../example_arbitrary
+  - cargo rustc --release -- -C passes='sancov' -C llvm-args='-sanitizer-coverage-level=4' -Z sanitizer=address
+  - (! ./target/release/example -runs=10000000)
diff --git a/Cargo.toml b/Cargo.toml
@@ -12,6 +12,7 @@ license = "MIT/Apache-2.0/NCSA"
 members = ["."]
 
 [dependencies]
+arbitrary = "0.1"
 
 [build-dependencies]
 gcc = "0.3"
diff --git a/example/src/main.rs b/example/src/main.rs
@@ -3,8 +3,8 @@
 #[macro_use]
 extern crate libfuzzer_sys;
 
-fuzz_target!(|data| {
-    if data == b"banana" {
+fuzz_target!(|data: &[u8]| {
+    if data == b"banana!" {
         panic!("success!");
     }
 });
diff --git a/example_arbitrary/Cargo.toml b/example_arbitrary/Cargo.toml
@@ -0,0 +1,11 @@
+[package]
+name = "example"
+version = "0.1.0"
+authors = ["Simonas Kazlauskas <git@kazlauskas.me>"]
+
+[workspace]
+members = ["."]
+
+[dependencies]
+libfuzzer-sys = { path = ".." }
+arbitrary = "0.1"
diff --git a/example_arbitrary/src/main.rs b/example_arbitrary/src/main.rs
@@ -0,0 +1,10 @@
+#![no_main]
+
+#[macro_use]
+extern crate libfuzzer_sys;
+
+fuzz_target!(|data: u16| {
+    if data == 0xba7 { // ba[nana]
+        panic!("success!");
+    }
+});
diff --git a/src/lib.rs b/src/lib.rs
@@ -1,5 +1,3 @@
-#![feature(process_abort)]
-
 extern "C" {
     #![allow(improper_ctypes)] // we do not actually cross the FFI bound here
 
@@ -23,10 +21,24 @@ macro_rules! fuzz_target {
             $body
         }
     };
-    (|$bytes:ident: &[u8]| $body:block) => {
+    (|$data:ident: &[u8]| $body:block) => {
+        fuzz_target!(|$data| $body);
+    };
+    (|$data:ident: $dty: ty| $body:block) => {
+        extern crate arbitrary;
+
         #[no_mangle]
-        pub extern fn rust_fuzzer_test_input($bytes: &[u8]) {
+        pub extern fn rust_fuzzer_test_input(bytes: &[u8]) {
+            use arbitrary::{Arbitrary, RingBuffer};
+
+            let $data: $dty = if let Ok(d) = RingBuffer::new(bytes, bytes.len()).and_then(|mut b|{
+                Arbitrary::arbitrary(&mut b).map_err(|_| "")
+            }) {
+                d
+            } else {
+                return
+            };
             $body
         }
-    }
+    };
 }
