This is an archive of the discontinued LLVM Phabricator instance.

Differential D84611

[libc] Adds fuzz test for strstr and alphabetizes string fuzz CMakeList.
ClosedPublic

Authored by cgyurgyik on Jul 26 2020, 5:13 PM.

Details

Reviewers
sivachandra
Commits
rGe14a7ff76275: [libc] Adds fuzz test for strstr and alphabetizes string fuzz CMakeList.

Diff Detail

Event Timeline

cgyurgyik created this revision.Jul 26 2020, 5:13 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 26 2020, 5:13 PM
Herald added subscribers: libc-commits, ecnelises, tschuett, mgorny. · View Herald Transcript
Harbormaster failed remote builds in B65744: Diff 280762!Jul 26 2020, 5:41 PM
sivachandra added inline comments.Jul 27 2020, 11:44 PM
libc/fuzzing/string/strstr_fuzz.cpp
23

I am not sure if we should use another implementation of strstr to test the real implementation. Instead, can we use strcmp in a brute force manner as strcmp has its own fuzz test.

auto result = __llvm_libc::strstr(haystack, needle);
// Because of the construction below, the input for which result is NULL can be tested separately.
// For the rest:
if (strcmp(result, needle) != 0) {
  __builtin_trap():
}
auto *haystack_ptr = haystack;
for (;haystack_ptr != result; ++haystack)
    if (strcmp(haystack_ptr, needle) == 0) {
      // An earlier occurance of needle was missed by strstr.
      __builtin_trap();
    }
}

This is brute force and calls strcmp for every byte, but avoids reimplementing strstr. WDYT?

cgyurgyik updated this revision to Diff 281340.Jul 28 2020, 1:12 PM
cgyurgyik updated this revision to Diff 281355.Jul 28 2020, 2:03 PM
cgyurgyik marked an inline comment as not done.
cgyurgyik added inline comments.
libc/fuzzing/string/strstr_fuzz.cpp
23

PTAL and let me know if this is what you're looking for.

I had to make some slight modifications since the result returned will include the rest of the string, and thus strcmp() will not always work.

cgyurgyik added inline comments.Jul 28 2020, 2:13 PM
libc/fuzzing/string/strstr_fuzz.cpp
23

Hmm nevermind I need to make some changes to this.

Harbormaster completed remote builds in B66081: Diff 281340.Jul 28 2020, 2:42 PM
Harbormaster completed remote builds in B66090: Diff 281355.Jul 28 2020, 3:20 PM
cgyurgyik updated this revision to Diff 281391.Jul 28 2020, 3:58 PM
cgyurgyik updated this revision to Diff 281396.Jul 28 2020, 4:06 PM
cgyurgyik added inline comments.
libc/fuzzing/string/strstr_fuzz.cpp
23

As discussed, strcmp won't quite work here. Created a helper function that mimics memcmp by comparing each letter up to N.

cgyurgyik marked an inline comment as done.Jul 28 2020, 4:07 PM
Harbormaster completed remote builds in B66116: Diff 281391.Jul 28 2020, 6:37 PM
Harbormaster completed remote builds in B66120: Diff 281396.Jul 28 2020, 6:48 PM
sivachandra added a comment.Jul 29 2020, 12:23 PM

Few nits and questions inline but overall LGTM.

libc/fuzzing/string/strstr_fuzz.cpp
22

LLVM style is to use static functions over anonymous namespaces: https://llvm.org/docs/CodingStandards.html#anonymous-namespaces

22

May be call it simple_memcmp.

65

data1 should be copied so that we can add the null terminator. But, why should we copy into data2? Can we not use the input directly?

cgyurgyik updated this revision to Diff 281709.Jul 29 2020, 12:49 PM
cgyurgyik marked 3 inline comments as done.
cgyurgyik added inline comments.
libc/fuzzing/string/strstr_fuzz.cpp
65

We can, I mostly did it to show there is no intersection between the two. Fixed so that only one new container is created.

sivachandra accepted this revision.Jul 29 2020, 1:14 PM
This revision is now accepted and ready to land.Jul 29 2020, 1:14 PM
Harbormaster completed remote builds in B66270: Diff 281709.Jul 29 2020, 1:25 PM
This revision was landed with ongoing or failed builds.Jul 29 2020, 1:36 PM
Closed by commit rGe14a7ff76275: [libc] Adds fuzz test for strstr and alphabetizes string fuzz CMakeList. (authored by cgyurgyik). · Explain Why
This revision was automatically updated to reflect the committed changes.
cgyurgyik marked an inline comment as done.
cgyurgyik added a commit: rGe14a7ff76275: [libc] Adds fuzz test for strstr and alphabetizes string fuzz CMakeList..

Revision Contents

PathSize
libc/
fuzzing/
string/
15 lines
85 lines

Diff 281721

libc/fuzzing/string/CMakeLists.txt

add_libc_fuzzer( add_libc_fuzzer(
strcmp_fuzz
SRCS
strcmp_fuzz.cpp
DEPENDS
libc.src.string.strcmp
)
add_libc_fuzzer(
strcpy_fuzz strcpy_fuzz
SRCS SRCS
strcpy_fuzz.cpp strcpy_fuzz.cpp
DEPENDS DEPENDS
libc.src.string.memcpy libc.src.string.memcpy
libc.src.string.strcpy libc.src.string.strcpy
libc.src.string.strlen libc.src.string.strlen
) )
add_libc_fuzzer( add_libc_fuzzer(
strcmp_fuzz strstr_fuzz
SRCS SRCS
strcmp_fuzz.cpp strstr_fuzz.cpp
DEPENDS DEPENDS
libc.src.string.strcmp libc.src.string.strstr
libc.src.string.strlen
) )

libc/fuzzing/string/strstr_fuzz.cpp

  • This file was added.
//===-- strstr_fuzz.cpp ---------------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
///
/// Fuzzing test for llvm-libc strstr implementation.
///
//===----------------------------------------------------------------------===//
#include "src/string/strlen.h"
#include "src/string/strstr.h"
#include <stddef.h>
#include <stdint.h>
// Simple loop to compare two strings up to a size n.
static int simple_memcmp(const char *left, const char *right, size_t n) {
for (; n && *left == *right; ++left, ++right, --n)
;
return n ? *left - *right : 0;
sivachandraUnsubmitted
Done
ReplyInline Actions

LLVM style is to use static functions over anonymous namespaces: https://llvm.org/docs/CodingStandards.html#anonymous-namespaces

sivachandra: LLVM style is to use `static` functions over anonymous namespaces: https://llvm.
sivachandraUnsubmitted
Done
ReplyInline Actions

May be call it simple_memcmp.

sivachandra: May be call it `simple_memcmp`.
}
sivachandraUnsubmitted
Done
ReplyInline Actions

I am not sure if we should use another implementation of strstr to test the real implementation. Instead, can we use strcmp in a brute force manner as strcmp has its own fuzz test.

auto result = __llvm_libc::strstr(haystack, needle);
// Because of the construction below, the input for which result is NULL can be tested separately.
// For the rest:
if (strcmp(result, needle) != 0) {
  __builtin_trap():
}
auto *haystack_ptr = haystack;
for (;haystack_ptr != result; ++haystack)
    if (strcmp(haystack_ptr, needle) == 0) {
      // An earlier occurance of needle was missed by strstr.
      __builtin_trap();
    }
}

This is brute force and calls strcmp for every byte, but avoids reimplementing strstr. WDYT?

sivachandra: I am not sure if we should use another implementation of `strstr` to test the real…
cgyurgyikAuthorUnsubmitted
Done
ReplyInline Actions

PTAL and let me know if this is what you're looking for.

I had to make some slight modifications since the result returned will include the rest of the string, and thus strcmp() will not always work.

cgyurgyik: PTAL and let me know if this is what you're looking for. I had to make some slight…
cgyurgyikAuthorUnsubmitted
Done
ReplyInline Actions

Hmm nevermind I need to make some changes to this.

cgyurgyik: Hmm nevermind I need to make some changes to this.
cgyurgyikAuthorUnsubmitted
Done
ReplyInline Actions

As discussed, strcmp won't quite work here. Created a helper function that mimics memcmp by comparing each letter up to N.

cgyurgyik: As discussed, `strcmp` won't quite work here. Created a helper function that mimics `memcmp` by…
// The general structure is to take the value of the first byte, set size1 to
// that value, and add the null terminator. size2 will then contain the rest of
// the bytes in data.
// For example, with inputs (data={2, 6, 4, 8, 0}, size=5):
// size1: data[0] = 2
// data1: {2, 6} + '\0' = {2, 6, '\0'}
// size2: size - size1 = 3
// data2: {4, 8, '\0'}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
// Verify the size is at least 1 and the data is null terminated.
if (!size || data[size - 1] != '\0')
return 0;
const size_t size1 = (data[0] <= size ? data[0] : size);
// The first size will always be at least 1 since
// we need to append the null terminator. The second size
// needs to be checked since it must also contain the null
// terminator.
if (size - size1 == 0)
return 0;
// Copy the data into a new container.
uint8_t *container = new uint8_t[size1 + 1];
if (!container)
__builtin_trap();
size_t i;
for (i = 0; i < size1; ++i)
container[i] = data[i];
container[size1] = '\0'; // Add null terminator to container.
const char *needle = reinterpret_cast<const char *>(container);
const char *haystack = reinterpret_cast<const char *>(data + i);
const char *result = __llvm_libc::strstr(haystack, needle);
// A null terminator may exist earlier in each, so this needs to be recorded.
const size_t haystack_size = __llvm_libc::strlen(haystack);
const size_t needle_size = __llvm_libc::strlen(needle);
if (result) {
// The needle is in the haystack.
// 1. Verify that the result matches the needle.
sivachandraUnsubmitted
Done
ReplyInline Actions

data1 should be copied so that we can add the null terminator. But, why should we copy into data2? Can we not use the input directly?

sivachandra: `data1` should be copied so that we can add the null terminator. But, why should we copy into…
cgyurgyikAuthorUnsubmitted
Done
ReplyInline Actions

We can, I mostly did it to show there is no intersection between the two. Fixed so that only one new container is created.

cgyurgyik: We can, I mostly did it to show there is no intersection between the two. Fixed so that only…
if (simple_memcmp(needle, result, needle_size) != 0)
__builtin_trap();
const char *haystack_ptr = haystack;
// 2. Verify that the result is the first occurrence of the needle.
for (; haystack_ptr != result; ++haystack_ptr) {
if (simple_memcmp(needle, haystack_ptr, needle_size) == 0)
__builtin_trap(); // There was an earlier occurrence of the needle.
}
} else {
// No result was found. Verify that the needle doesn't exist within the
// haystack.
for (size_t i = 0; i + needle_size < haystack_size; ++i) {
if (simple_memcmp(needle, haystack + i, needle_size) == 0)
__builtin_trap(); // There was an earlier occurrence of the needle.
}
}
delete[] container;
return 0;
}