Fix parsing arg

[forzafedor]

I changed the flag formatting algorithm for libfuzzer

2 problems were solved:

• Now all flags are processed correctly and the libfuzzer receives the file name as a zero argument. (libfuzzer receives flag from first index link).
• Now no error with free() function when script finishes work (there was an error in the algorithm of argument parsing).

Now flags (and corpus directories) for libfuzzer can be added from console.
For example:

lua example_basic.lua -max_total_time=60 -only_ascii=1
lua example_basic.lua ./corpus/

But now for luzer.Fuzz() function as third arguments need use global table arg.
If you need to add flags from a Lua script, you can use the construction:

local args = {
    "-only_ascii=1",
}

for i = 1, #args do
    arg[#arg + 1] = args[i]
end

luzer.Fuzz(TestOneInput, nil, arg)

Perhaps there is a better and easier way :)

[forzafedor]

Don't look at the merge yet, I'll change it

[ligurio]

Thanks for the patch!

I left a number of comments, please take a look.
Also, please squash commits to a single one, update commit description (it is better to say that we change arg format, not algorithm, and add a long commit description). Add Fixes #13 at the end of commit message`. Changelog entry is also required.

[ligurio]

BTW docs/api.md should be updated too.
At least this:

• args is a table with arguments: the process arguments to pass to the
  fuzzer. Field corpus specifies a path to a directory with seed corpus, see a
  list with other options in the [libFuzzer documentation][libfuzzer-options-url].

[forzafedor]

Not relevant

[ligurio]

Please describe passing arguments via command-line in documentation.

[ligurio]

documentation is still missed

[ligurio]

arg is added, but in a step 3 it is unused (no options are passed to a script).

[forzafedor]

Fixed it

[forzafedor]

Thanks for the review!
I've changed the argument parsing process and added support for command line arguments.
The code from Lua's has not changed

[ligurio]

Thanks for update!
I like your idea to keep a Lua table with options and merge it with CLI arguments.
Please see the comments inline.

[ligurio]

What for this change?

[forzafedor]

luzer/luzer/luzer.c

Line 330 in 0179547

if (lua_istable(L, -1) == 0) {

At the moment, it is checked that the last argument is a table and if not, fuzzing ends with an error. Therefore, it is necessary to explicitly specify arguments 2 and 3.

[ligurio]

It is not clear why support of CLI arguments makes custom mutator and table with options mandatory for Fuzz function.

[forzafedor]

The problem is that the code currently shown in the readme will not work at all. The fuzzing process will start only if all 3 arguments are passed to the function input. In this PR, the process of parsing input arguments has been changed, I decided to fix this too.

[ligurio]

According to changelog, option allows discarding arguments specified in command line.
What is the point? Just don't pass these options, and that's all. Or I didn't get your usecase.
From my point of view, it is more sense to introduce an option that will allow ignoring libfuzzer options specified in Lua.

[forzafedor]

This is necessary so that if we fuzz functionality that works with command line arguments, there may be problems if the flags are the same.
For example:

local function TestOneInput(buf)
    local fdp = luzer.FuzzedDataProvider(buf)
    local str = fdp:consume_string(4)

    local b = {}
    str:gsub(".", function(c) table.insert(b, c) end)
    if (b[1] == "o" and #arg > 0 and arg[1] == "-help=1") then assert(nil) end
end

if we need to set the "-help=1" flag, then without this environment variable, the fuzzer will simply launch its help and fuzzing will not even start, but with the variable set, this crash will be found.

[ligurio]

According to implementation get_args_from_lua never returns non-zero exit code. It is a Lua C function and we raise lua_error inside it.

[forzafedor]

Fixed it

[ligurio]

Add descriptions for luaL_get_args_from_cli and luaL_get_args_from_table with possible return codes.

[ligurio]

Message "failed to merge arguments" says nothing to user. It is not clear what a problem is happened and what is "merging arguments" at all. Probably it is better to return an error code for each type of error and use this code here. Currently, we return non-zero code in merge_args in case of lack of memory.

[forzafedor]

Fixed it

[ligurio]

same comment as for get_args_from_lua

[forzafedor]

Fixed it

[forzafedor]

Corrected the PR according to your comments

[ligurio]

Please define a var for strlen(key) + 3 and use it in array definition and for snprintf.

[ligurio]

strlen(search_flag) is known, replace with variable (see a previous comment)

[ligurio]

Why ignored? You calculate string length three times!

[ligurio]

getenv(3):

The getenv() function returns a pointer to the value in the environment, or NULL if there is no match.

so comparing not_use_cli_args with NULL is enough

Do not use console arguments when LUZER_NOT_USE_CLI_ARGS_FOR_LF is set (even when equal to 0) and use console arguments when LUZER_NOT_USE_CLI_ARGS_FOR_LF is not set.

[forzafedor]

@ligurio Wait for your response.

[ligurio]

@ligurio Wait for your response.

Sure, I'll take a look.

[ligurio]

Thanks for fixes!
The patch looks good, need some polishing. Please resolve comments that I left.

[ligurio]

It is not clear why support of CLI arguments makes custom mutator and table with options mandatory for Fuzz function.

[forzafedor]

@ligurio Thanks for the review. I fixed everything

[ligurio]

Thanks for fixes! We are close to finish, but need a little more work.
Please take a look on comments.

[ligurio]

Please fix indentation in a whole patch.

[ligurio]

documentation is still missed

[ligurio]

Add comment here with explanation

[ligurio]

Add descriptions for luaL_get_args_from_cli and luaL_get_args_from_table with possible return codes.

[ligurio]

I would rename ENV_NOT_USE_CLI_ARGS to IGNORE_CLI_ARGS and the same for env variable name: LUZER_NOT_USE_CLI_ARGS -> LUZER_IGNORE_CLI_ARGS.

[ligurio]

Used only once in a line below, I would drop it.

[ligurio]

Why functions below returns int and here you are using bool?

[forzafedor]

Do you mean to change return type to int? With return 0/1?

[ligurio]

Probably it is better to put table_args->argv[i] to a separate variable (for example cur_arg) at the beginning of loop iteration. This change will reduce length of lines a bit. Currently, it is difficult to read lines in a loop body.

[ligurio]

It is not a self-explained variable name. I propose to rename to something like retcode, rc or something else.

[ligurio]

Superseded by #21.