Add fuzz tests for parsers #1

Closed
opened 2 years ago by p · 1 comments
p commented 2 years ago
Owner

Consider AFL and libFuzzer. The latter appears to be more promising, especially combined with sanitisers.

In any case, we'll need to figure out build. I don't want this to explode into numerous files for each little parser. LLVMFuzzerTestOneInput only has the data for arguments, though LLVMFuzzerInitialize may switch targets according to arguments--we'll have to erase elements from the argv array for this. Perhaps scan for a new custom -test=choice option that either sets the target or lists all choices when not found (and returns failure).

Complex things may make use of seeds but let's see how far we can get without. It would be possible to add a "fuzz" directory with some samples, prefixed by test name.

The "superdriver" will want to use the -artifact_prefix option of libFuzzer. It might very well be a simple shell script since CMake would be hard to convince to use a different subcompiler--everything depends on clang.

Targets: config_item_parse(), base64_decode(), utf8_validate(), ws_parser_push(), scgi_parser_push(), irc_parse_message(), attrs_decode(), mpd_client_process_input(), fcgi_nv_parser_push(), fcgi_parser_push(), http_parse_upgrade(), http_parse_media_type()

Consider AFL and libFuzzer. The latter appears to be more promising, especially combined with sanitisers. In any case, we'll need to figure out build. I don't want this to explode into numerous files for each little parser. `LLVMFuzzerTestOneInput` only has the data for arguments, though `LLVMFuzzerInitialize` may switch targets according to arguments--we'll have to erase elements from the argv array for this. Perhaps scan for a new custom `-test=choice` option that either sets the target or lists all choices when not found (and returns failure). Complex things may make use of seeds but let's see how far we can get without. It would be possible to add a "fuzz" directory with some samples, prefixed by test name. The "superdriver" will want to use the `-artifact_prefix` option of libFuzzer. It might very well be a simple shell script since CMake would be hard to convince to use a different subcompiler--everything depends on clang. Targets: `config_item_parse()`, `base64_decode()`, `utf8_validate()`, `ws_parser_push()`, `scgi_parser_push()`, `irc_parse_message()`, `attrs_decode()`, `mpd_client_process_input()`, `fcgi_nv_parser_push()`, `fcgi_parser_push()`, `http_parse_upgrade()`, `http_parse_media_type()`
p self-assigned this 2 years ago
p commented 2 years ago
Poster
Owner

Remaining: config_item_parse(), attrs_decode(), mpd_client_process_input(), fcgi_nv_parser_push(), fcgi_parser_push()

I suppose I won't think of any better way to use the fuzzer than to give it in the script a length limit and a timeout and enumerate all available targets. I'm slightly disappointed. On the other hand, nothing has failed so far.

Remaining: `config_item_parse()`, `attrs_decode()`, `mpd_client_process_input()`, `fcgi_nv_parser_push()`, `fcgi_parser_push()` I suppose I won't think of any better way to use the fuzzer than to give it in the script a length limit and a timeout and enumerate all available targets. I'm slightly disappointed. On the other hand, nothing has failed so far.
p closed this issue 2 years ago
Sign in to join this conversation.
No Label
No Milestone
No Assignees
1 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.