Merge pull request #79 from fitzgen/custom-mutators

Add support for defining custom mutators

Author: fitzgen

Cargo.toml

@@ -16,3 +16,14 @@ cc = "1.0"
 
 [features]
 arbitrary-derive = ["arbitrary/derive"]
+
+[workspace]
+members = [
+  "./example",
+  "./example_arbitrary",
+  "./example_mutator",
+]
+
+[dev-dependencies]
+flate2 = "1.0.20"
+rand = "0.8.3"

ci/script.sh

@@ -5,6 +5,8 @@ cd $(dirname $0)/..
 
 export CARGO_TARGET_DIR=$(pwd)/target
 
+cargo test --doc
+
 pushd ./example
 cargo rustc \
       --release \
@@ -39,3 +41,18 @@ RUST_LIBFUZZER_DEBUG_PATH=$(pwd)/debug_output \
 cat $(pwd)/debug_output
 grep -q Rgb $(pwd)/debug_output
 popd
+
+pushd ./example_mutator
+cargo rustc \
+      --release \
+      -- \
+      -Cpasses='sancov' \
+      -Cllvm-args=-sanitizer-coverage-level=3 \
+      -Cllvm-args=-sanitizer-coverage-trace-compares \
+      -Cllvm-args=-sanitizer-coverage-inline-8bit-counters \
+      -Cllvm-args=-sanitizer-coverage-stack-depth \
+      -Cllvm-args=-sanitizer-coverage-trace-geps \
+      -Cllvm-args=-sanitizer-coverage-prune-blocks=0 \
+      -Zsanitizer=address
+(! $CARGO_TARGET_DIR/release/example_mutator -runs=10000000)
+popd

example/Cargo.toml

@@ -4,8 +4,5 @@ version = "0.1.0"
 authors = ["Simonas Kazlauskas <[email protected]>"]
 edition = "2018"
 
-[workspace]
-members = ["."]
-
 [dependencies]
 libfuzzer-sys = { path = ".." }

example_arbitrary/Cargo.toml

@@ -4,8 +4,5 @@ version = "0.1.0"
 authors = ["Simonas Kazlauskas <[email protected]>"]
 edition = "2018"
 
-[workspace]
-members = ["."]
-
 [dependencies]
 libfuzzer-sys = { path = "..", features = ["arbitrary-derive"] }

example_mutator/.gitignore

@@ -0,0 +1 @@
+crash-*

example_mutator/Cargo.toml

@@ -0,0 +1,11 @@
+[package]
+name = "example_mutator"
+version = "0.1.0"
+authors = ["Nick Fitzgerald <[email protected]>"]
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+flate2 = "1.0.20"
+libfuzzer-sys = { path = ".." }

example_mutator/src/main.rs

@@ -0,0 +1,55 @@
+#![no_main]
+
+use flate2::{read::GzDecoder, write::GzEncoder, Compression};
+use libfuzzer_sys::{fuzz_mutator, fuzz_target};
+use std::io::{Read, Write};
+
+fuzz_target!(|data: &[u8]| {
+    // Decompress the input data and crash if it starts with "boom".
+    if let Some(data) = decompress(data) {
+        if data.starts_with(b"boom") {
+            panic!();
+        }
+    }
+});
+
+fuzz_mutator!(
+    |data: &mut [u8], size: usize, max_size: usize, _seed: u32| {
+        // Decompress the input data. If that fails, use a dummy value.
+        let mut decompressed = decompress(&data[..size]).unwrap_or_else(|| b"hi".to_vec());
+
+        // Mutate the decompressed data with `libFuzzer`'s default mutator. Make
+        // the `decompressed` vec's extra capacity available for insertion
+        // mutations via `resize`.
+        let len = decompressed.len();
+        let cap = decompressed.capacity();
+        decompressed.resize(cap, 0);
+        let new_decompressed_size = libfuzzer_sys::fuzzer_mutate(&mut decompressed, len, cap);
+
+        // Recompress the mutated data.
+        let compressed = compress(&decompressed[..new_decompressed_size]);
+
+        // Copy the recompressed mutated data into `data` and return the new size.
+        let new_size = std::cmp::min(max_size, compressed.len());
+        data[..new_size].copy_from_slice(&compressed[..new_size]);
+        new_size
+    }
+);
+
+fn decompress(data: &[u8]) -> Option<Vec<u8>> {
+    let mut decoder = GzDecoder::new(data);
+    let mut decompressed = Vec::new();
+    if decoder.read_to_end(&mut decompressed).is_ok() {
+        Some(decompressed)
+    } else {
+        None
+    }
+}
+
+fn compress(data: &[u8]) -> Vec<u8> {
+    let mut encoder = GzEncoder::new(Vec::new(), Compression::default());
+    encoder
+        .write_all(data)
+        .expect("writing into a vec is infallible");
+    encoder.finish().expect("writing into a vec is infallible")
+}

libfuzzer/CREDITS.TXT

@@ -26,7 +26,6 @@ inline uint32_t Bswap(uint32_t x) { return __builtin_bswap32(x); }
 inline uint64_t Bswap(uint64_t x) { return __builtin_bswap64(x); }
 
 inline uint32_t Clzll(unsigned long long X) { return __builtin_clzll(X); }
-inline uint32_t Clz(unsigned long long X) { return __builtin_clz(X); }
 inline int Popcountll(unsigned long long X) { return __builtin_popcountll(X); }
 
 }  // namespace fuzzer

libfuzzer/FuzzerBuiltins.h

@@ -52,12 +52,6 @@ inline uint32_t Clzll(uint64_t X) {
   return 64;
 }
 
-inline uint32_t Clz(uint32_t X) {
-  unsigned long LeadZeroIdx = 0;
-  if (_BitScanReverse(&LeadZeroIdx, X)) return 31 - LeadZeroIdx;
-  return 32;
-}
-
 inline int Popcountll(unsigned long long X) {
 #if !defined(_M_ARM) && !defined(_M_X64)
   return __popcnt(X) + __popcnt(X >> 32);