Add fuzz tests for parsers #1
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Consider AFL and libFuzzer. The latter appears to be more promising, especially combined with sanitisers.
In any case, we'll need to figure out build. I don't want this to explode into numerous files for each little parser.
LLVMFuzzerTestOneInput
only has the data for arguments, thoughLLVMFuzzerInitialize
may switch targets according to arguments--we'll have to erase elements from the argv array for this. Perhaps scan for a new custom-test=choice
option that either sets the target or lists all choices when not found (and returns failure).Complex things may make use of seeds but let's see how far we can get without. It would be possible to add a "fuzz" directory with some samples, prefixed by test name.
The "superdriver" will want to use the
-artifact_prefix
option of libFuzzer. It might very well be a simple shell script since CMake would be hard to convince to use a different subcompiler--everything depends on clang.Targets:
config_item_parse()
,base64_decode()
,utf8_validate()
,ws_parser_push()
,scgi_parser_push()
,irc_parse_message()
,attrs_decode()
,mpd_client_process_input()
,fcgi_nv_parser_push()
,fcgi_parser_push()
,http_parse_upgrade()
,http_parse_media_type()
Remaining:
config_item_parse()
,attrs_decode()
,mpd_client_process_input()
,fcgi_nv_parser_push()
,fcgi_parser_push()
I suppose I won't think of any better way to use the fuzzer than to give it in the script a length limit and a timeout and enumerate all available targets. I'm slightly disappointed. On the other hand, nothing has failed so far.