postgresql: Fix fuzzer

Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>

Author: arthurscchan

projects/expat/Dockerfile

@@ -1,5 +1,4 @@
-# Copyright 2016 Google Inc.
-# Copyright 2025 Sebastian Pipping <sebastian@pipping.org>
+# Copyright 2025 Google LLC.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,7 +13,6 @@
 # limitations under the License.
 #
 ################################################################################
-
 FROM gcr.io/oss-fuzz-base/base-builder
 RUN apt-get update && apt-get install -y \
             cmake \
@@ -23,7 +21,7 @@ RUN apt-get update && apt-get install -y \
             libstdc++-9-dev:i386 \
             make \
             protobuf-compiler
-
-RUN git clone --depth 1 https://github.com/libexpat/libexpat expat
-WORKDIR expat
-COPY build.sh *.dict $SRC/
+COPY *.sh *.dict *.diff $SRC/
+RUN git clone https://android.googlesource.com/platform/external/expat expat
+WORKDIR $SRC/expat
+COPY *.c $SRC/expat/expat/fuzz/

projects/expat/build.sh

@@ -1,6 +1,5 @@
 #!/bin/bash -eu
-# Copyright 2016 Google Inc.
-# Copyright 2025 Sebastian Pipping <sebastian@pipping.org>
+# Copyright 2025 Google LLC.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,54 +14,38 @@
 # limitations under the License.
 #
 ################################################################################
+git apply $SRC/fuzzer.diff
 
-# NOTE: We need to drop -stdlib=libc++ to not get (pages of) link errors when
-#       linking against system Protobuf that is linked against GCC's libstdc++
-#       rather than Clang's own libstdc++
 CXXFLAGS="${CXXFLAGS/-stdlib=libc++/ }"
-
-# NOTE: Without -static-libstdc++, the bad build checker in base-runner
-#       will fail with output:
-#       > error while loading shared libraries: libstdc++.so.6:
-#       > cannot open shared object file: No such file or directory
-#       The addition of -Wno-unused-command-line-argument silences Clang's
-#       misleading output on argument -static-libstdc++ appearing as unused.
 CXXFLAGS="${CXXFLAGS} -static-libstdc++ -Wno-unused-command-line-argument"
 
-: ${LD:="${CXX}"}
-: ${LDFLAGS:="${CXXFLAGS}"}  # to make sure we link with sanitizer runtime
-
 cmake_args=(
-    # Specific to Expat
     -DEXPAT_BUILD_DOCS=OFF
     -DEXPAT_BUILD_EXAMPLES=OFF
     -DEXPAT_BUILD_FUZZERS=ON
     -DEXPAT_BUILD_TESTS=OFF
     -DEXPAT_BUILD_TOOLS=OFF
     -DEXPAT_OSSFUZZ_BUILD=ON
     -DEXPAT_SHARED_LIBS=OFF
-    -DProtobuf_USE_STATIC_LIBS=ON
 
-    # C compiler
     -DCMAKE_C_COMPILER="${CC}"
     -DCMAKE_C_FLAGS="${CFLAGS}"
-
-    # C++ compiler
     -DCMAKE_CXX_COMPILER="${CXX}"
     -DCMAKE_CXX_FLAGS="${CXXFLAGS}"
 
-    # Linker
-    -DCMAKE_LINKER="${LD}"
-    -DCMAKE_EXE_LINKER_FLAGS="${LDFLAGS}"
-    -DCMAKE_MODULE_LINKER_FLAGS="${LDFLAGS}"
-    -DCMAKE_SHARED_LINKER_FLAGS="${LDFLAGS}"
+    -DCMAKE_LINKER="ld.lld"
+    -DCMAKE_EXE_LINKER_FLAGS="${CXXFLAGS}"
+    -DCMAKE_MODULE_LINKER_FLAGS="${CXXFLAGS}"
+    -DCMAKE_SHARED_LINKER_FLAGS="${CXXFLAGS}"
 )
 
 mkdir -p build
 cd build
 cmake ../expat "${cmake_args[@]}"
 make -j$(nproc)
 
+libexpat_path=$(find . -name 'libexpat.a' | head -n 1)
+
 for fuzzer in fuzz/*;
 do
   cp $fuzzer $OUT

projects/expat/project.yaml

@@ -1,24 +1,6 @@
-homepage: "https://github.com/libexpat/libexpat"
-language: c++
-primary_contact: "sebastian@pipping.org"
+homepage: "https://github.com/google/oss-fuzz"
+language: c
+primary_contact: "info@oss-fuzz.com"
 auto_ccs:
- - "rhodri@kynesim.co.uk"
- - "hanno@hboeck.de"
- - "webmaster@hartwork.org"
- - "bshas3@gmail.com"
-vendor_ccs:
- - "twsmith@mozilla.com"
-sanitizers:
-  - address
-  - memory
-  - undefined
-architectures:
-  - x86_64
-  - i386
-main_repo: 'https://github.com/libexpat/libexpat'
-
-fuzzing_engines:
-  - afl
-  - honggfuzz
-  - libfuzzer
-
+-
+main_repo: 'https://github.com/google/oss-fuzz'

projects/postgresql/build.sh

@@ -67,10 +67,6 @@ make -j$(nproc) fuzzer
 #if [ "$FUZZING_ENGINE" = "afl" ]
 #then
 rm protocol_fuzzer
-rm simple_query_fuzzer
 #fi
 cp *_fuzzer $OUT/
 cp $SRC/postgresql_fuzzer_seed_corpus.zip $OUT/
-
-# Temporary fix. Todo: David fix this.
-#rm $OUT/protocol_fuzzer

projects/postgresql/fuzzer/simple_query_fuzzer.c

@@ -35,110 +35,77 @@
 #include "utils/snapmgr.h"
 #include "utils/timeout.h"
 
-static void
-exec_simple_query(const char *query_string)
-{
+static void exec_simple_query(const char *query_string) {
   MemoryContext oldcontext;
-  List       *parsetree_list;
-  ListCell   *parsetree_item;
-  bool        use_implicit_block;
+  List *parsetree_list;
+  ListCell *parsetree_item;
 
-  StartTransactionCommand();
   oldcontext = MemoryContextSwitchTo(MessageContext);
-
   parsetree_list = raw_parser(query_string, RAW_PARSE_TYPE_NAME);
   MemoryContextSwitchTo(oldcontext);
 
-  use_implicit_block = (list_length(parsetree_list) > 1);
-
-  foreach(parsetree_item, parsetree_list)
-    {
-      RawStmt    *parsetree = lfirst_node(RawStmt, parsetree_item);
-      bool        snapshot_set = false;
-      MemoryContext per_parsetree_context = NULL;
-      List       *querytree_list,
-	*plantree_list;
-
-      if (use_implicit_block)
-	BeginImplicitTransactionBlock();
-
-      if (analyze_requires_snapshot(parsetree))
-	{
-	  PushActiveSnapshot(GetTransactionSnapshot());
-	  snapshot_set = true;
-	}
-
-      if (lnext(parsetree_list, parsetree_item) != NULL)
-	{
-	  per_parsetree_context =
-	    AllocSetContextCreate(MessageContext,
-				  "per-parsetree message context",
-				  ALLOCSET_DEFAULT_SIZES);
-	  oldcontext = MemoryContextSwitchTo(per_parsetree_context);
-	}
-      else
-	oldcontext = MemoryContextSwitchTo(MessageContext);
-
-      querytree_list = pg_analyze_and_rewrite_fixedparams(parsetree, query_string,
-					      NULL, 0, NULL);
-
-      plantree_list = pg_plan_queries(querytree_list, query_string,
-				      CURSOR_OPT_PARALLEL_OK, NULL);
-
-      if (per_parsetree_context){
-	MemoryContextDelete(per_parsetree_context);
-      }
-      CommitTransactionCommand();
+  foreach (parsetree_item, parsetree_list) {
+    RawStmt *parsetree = lfirst_node(RawStmt, parsetree_item);
+    MemoryContext per_parsetree_context = NULL;
+    List *querytree_list;
+
+    if (lnext(parsetree_list, parsetree_item) != NULL) {
+      per_parsetree_context =
+          AllocSetContextCreate(MessageContext, "per-parsetree message context", ALLOCSET_DEFAULT_SIZES);
+      oldcontext = MemoryContextSwitchTo(per_parsetree_context);
+    } else {
+      oldcontext = MemoryContextSwitchTo(MessageContext);
     }
-}
 
+    querytree_list = pg_analyze_and_rewrite_fixedparams(parsetree, query_string, NULL, 0, NULL);
+    pg_plan_queries(querytree_list, query_string, CURSOR_OPT_PARALLEL_OK, NULL);
+
+    if (per_parsetree_context) {
+      MemoryContextDelete(per_parsetree_context);
+    } else {
+      MemoryContextSwitchTo(oldcontext);
+    }
+  }
+}
 
 int LLVMFuzzerInitialize(int *argc, char ***argv) {
-	FuzzerInitialize("query_db", argv);
-	return 0;
+  MemoryContextInit();
+  InitializeGUCOptions();
+  InitializeMaxBackends();
+
+  MessageContext = AllocSetContextCreate(TopMemoryContext,
+                                         "MessageContext",
+                                         ALLOCSET_DEFAULT_SIZES);
+  return 0;
 }
 
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  if (size == 0)
+    return 0;
 
-/*
-** Main entry point.  The fuzzer invokes this function with each
-** fuzzed input.
-*/
-int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  char* query_string;
   sigjmp_buf local_sigjmp_buf;
-
-  query_string = (char*) calloc( (size+1), sizeof(char) );
+  char *query_string = (char *) calloc(size + 1, sizeof(char));
   memcpy(query_string, data, size);
 
-  if (!sigsetjmp(local_sigjmp_buf, 0))
-    {
-      PG_exception_stack = &local_sigjmp_buf;
-      error_context_stack = NULL;
-	  set_stack_base();
-
-      disable_all_timeouts(false);
-      QueryCancelPending = false;
-      pq_comm_reset();
-      EmitErrorReport();
-
-      AbortCurrentTransaction();
- 
-      PortalErrorCleanup();
-
-      jit_reset_after_error();
-
-      MemoryContextSwitchTo(TopMemoryContext);
-      FlushErrorState();
-
-      MemoryContextSwitchTo(MessageContext);
-      MemoryContextReset(MessageContext);
-
-      InvalidateCatalogSnapshotConditionally();
-
-      SetCurrentStatementStartTimestamp();
-
-      exec_simple_query(query_string);
-    }
+  if (!sigsetjmp(local_sigjmp_buf, 0)) {
+    PG_exception_stack = &local_sigjmp_buf;
+    error_context_stack = NULL;
+    set_stack_base();
+
+    disable_all_timeouts(false);
+    QueryCancelPending = false;
+    pq_comm_reset();
+    EmitErrorReport();
+    jit_reset_after_error();
+
+    MemoryContextSwitchTo(TopMemoryContext);
+    FlushErrorState();
+    MemoryContextSwitchTo(MessageContext);
+    MemoryContextReset(MessageContext);
+    SetCurrentStatementStartTimestamp();
+
+    exec_simple_query(query_string);
+  }
 
   free(query_string);
   return 0;