Bitcoin Core  27.99.0
P2P Digital Currency
fuzz.cpp
Go to the documentation of this file.
1 // Copyright (c) 2009-present The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 #include <test/fuzz/fuzz.h>
6 
7 #include <netaddress.h>
8 #include <netbase.h>
9 #include <test/util/random.h>
10 #include <test/util/setup_common.h>
11 #include <util/check.h>
12 #include <util/fs.h>
13 #include <util/sock.h>
14 #include <util/time.h>
15 
16 #include <csignal>
17 #include <cstdint>
18 #include <cstdio>
19 #include <cstdlib>
20 #include <cstring>
21 #include <exception>
22 #include <fstream>
23 #include <functional>
24 #include <iostream>
25 #include <map>
26 #include <memory>
27 #include <string>
28 #include <tuple>
29 #include <utility>
30 #include <vector>
31 
32 #if defined(PROVIDE_FUZZ_MAIN_FUNCTION) && defined(__AFL_FUZZ_INIT)
33 __AFL_FUZZ_INIT();
34 #endif
35 
36 const std::function<void(const std::string&)> G_TEST_LOG_FUN{};
37 
38 const std::function<std::string()> G_TEST_GET_FULL_NAME{};
39 
47 static std::vector<const char*> g_args;
48 
49 static void SetArgs(int argc, char** argv) {
50  for (int i = 1; i < argc; ++i) {
51  // Only take into account arguments that start with `--`. The others are for the fuzz engine:
52  // `fuzz -runs=1 fuzz_seed_corpus/address_deserialize_v2 --checkaddrman=5`
53  if (strlen(argv[i]) > 2 && argv[i][0] == '-' && argv[i][1] == '-') {
54  g_args.push_back(argv[i]);
55  }
56  }
57 }
58 
59 const std::function<std::vector<const char*>()> G_TEST_COMMAND_LINE_ARGUMENTS = []() {
60  return g_args;
61 };
62 
63 struct FuzzTarget {
64  const TypeTestOneInput test_one_input;
65  const FuzzTargetOptions opts;
66 };
67 
68 auto& FuzzTargets()
69 {
70  static std::map<std::string_view, FuzzTarget> g_fuzz_targets;
71  return g_fuzz_targets;
72 }
73 
74 void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, FuzzTargetOptions opts)
75 {
76  const auto [it, ins]{FuzzTargets().try_emplace(name, FuzzTarget /* temporary can be dropped after Apple-Clang-16 ? */ {std::move(target), std::move(opts)})};
77  Assert(ins);
78 }
79 
80 static std::string_view g_fuzz_target;
81 static const TypeTestOneInput* g_test_one_input{nullptr};
82 
83 
84 #if defined(__clang__) && defined(__linux__)
85 extern "C" void __llvm_profile_reset_counters(void) __attribute__((weak));
86 extern "C" void __gcov_reset(void) __attribute__((weak));
87 
88 void ResetCoverageCounters()
89 {
90  if (__llvm_profile_reset_counters) {
91  __llvm_profile_reset_counters();
92  }
93 
94  if (__gcov_reset) {
95  __gcov_reset();
96  }
97 }
98 #else
99 void ResetCoverageCounters() {}
100 #endif
101 
102 
103 void initialize()
104 {
105  // By default, make the RNG deterministic with a fixed seed. This will affect all
106  // randomness during the fuzz test, except:
107  // - GetStrongRandBytes(), which is used for the creation of private key material.
108  // - Creating a BasicTestingSetup or derived class will switch to a random seed.
109  SeedRandomForTest(SeedRand::ZEROS);
110 
111  // Terminate immediately if a fuzzing harness ever tries to create a socket.
112  // Individual tests can override this by pointing CreateSock to a mocked alternative.
113  CreateSock = [](int, int, int) -> std::unique_ptr<Sock> { std::terminate(); };
114 
115  // Terminate immediately if a fuzzing harness ever tries to perform a DNS lookup.
116  g_dns_lookup = [](const std::string& name, bool allow_lookup) {
117  if (allow_lookup) {
118  std::terminate();
119  }
120  return WrappedGetAddrInfo(name, false);
121  };
122 
123  bool should_exit{false};
124  if (std::getenv("PRINT_ALL_FUZZ_TARGETS_AND_ABORT")) {
125  for (const auto& [name, t] : FuzzTargets()) {
126  if (t.opts.hidden) continue;
127  std::cout << name << std::endl;
128  }
129  should_exit = true;
130  }
131  if (const char* out_path = std::getenv("WRITE_ALL_FUZZ_TARGETS_AND_ABORT")) {
132  std::cout << "Writing all fuzz target names to '" << out_path << "'." << std::endl;
133  std::ofstream out_stream{out_path, std::ios::binary};
134  for (const auto& [name, t] : FuzzTargets()) {
135  if (t.opts.hidden) continue;
136  out_stream << name << std::endl;
137  }
138  should_exit = true;
139  }
140  if (should_exit) {
141  std::exit(EXIT_SUCCESS);
142  }
143  if (const auto* env_fuzz{std::getenv("FUZZ")}) {
144  // To allow for easier fuzz executable binary modification,
145  static std::string g_copy{env_fuzz}; // create copy to avoid compiler optimizations, and
146  g_fuzz_target = g_copy.c_str(); // strip string after the first null-char.
147  } else {
148  std::cerr << "Must select fuzz target with the FUZZ env var." << std::endl;
149  std::cerr << "Hint: Set the PRINT_ALL_FUZZ_TARGETS_AND_ABORT=1 env var to see all compiled targets." << std::endl;
150  std::exit(EXIT_FAILURE);
151  }
152  const auto it = FuzzTargets().find(g_fuzz_target);
153  if (it == FuzzTargets().end()) {
154  std::cerr << "No fuzz target compiled for " << g_fuzz_target << "." << std::endl;
155  std::exit(EXIT_FAILURE);
156  }
157  Assert(!g_test_one_input);
158  g_test_one_input = &it->second.test_one_input;
159  it->second.opts.init();
160 
161  ResetCoverageCounters();
162 }
163 
164 #if defined(PROVIDE_FUZZ_MAIN_FUNCTION)
165 static bool read_stdin(std::vector<uint8_t>& data)
166 {
167  std::istream::char_type buffer[1024];
168  std::streamsize length;
169  while ((std::cin.read(buffer, 1024), length = std::cin.gcount()) > 0) {
170  data.insert(data.end(), buffer, buffer + length);
171  }
172  return length == 0;
173 }
174 #endif
175 
176 #if defined(PROVIDE_FUZZ_MAIN_FUNCTION) && !defined(__AFL_LOOP)
177 static bool read_file(fs::path p, std::vector<uint8_t>& data)
178 {
179  uint8_t buffer[1024];
180  FILE* f = fsbridge::fopen(p, "rb");
181  if (f == nullptr) return false;
182  do {
183  const size_t length = fread(buffer, sizeof(uint8_t), sizeof(buffer), f);
184  if (ferror(f)) return false;
185  data.insert(data.end(), buffer, buffer + length);
186  } while (!feof(f));
187  fclose(f);
188  return true;
189 }
190 #endif
191 
192 #if defined(PROVIDE_FUZZ_MAIN_FUNCTION) && !defined(__AFL_LOOP)
193 static fs::path g_input_path;
194 void signal_handler(int signal)
195 {
196  if (signal == SIGABRT) {
197  std::cerr << "Error processing input " << g_input_path << std::endl;
198  } else {
199  std::cerr << "Unexpected signal " << signal << " received\n";
200  }
201  std::_Exit(EXIT_FAILURE);
202 }
203 #endif
204 
205 // This function is used by libFuzzer
206 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
207 {
208  static const auto& test_one_input = *Assert(g_test_one_input);
209  test_one_input({data, size});
210  return 0;
211 }
212 
213 // This function is used by libFuzzer
214 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
215 {
216  SetArgs(*argc, *argv);
217  initialize();
218  return 0;
219 }
220 
221 #if defined(PROVIDE_FUZZ_MAIN_FUNCTION)
222 int main(int argc, char** argv)
223 {
224  initialize();
225  static const auto& test_one_input = *Assert(g_test_one_input);
226 #ifdef __AFL_LOOP
227  // Enable AFL persistent mode. Requires compilation using afl-clang-fast++.
228  // See fuzzing.md for details.
229  const uint8_t* buffer = __AFL_FUZZ_TESTCASE_BUF;
230  while (__AFL_LOOP(100000)) {
231  size_t buffer_len = __AFL_FUZZ_TESTCASE_LEN;
232  test_one_input({buffer, buffer_len});
233  }
234 #else
235  std::vector<uint8_t> buffer;
236  if (argc <= 1) {
237  if (!read_stdin(buffer)) {
238  return 0;
239  }
240  test_one_input(buffer);
241  return 0;
242  }
243  std::signal(SIGABRT, signal_handler);
244  const auto start_time{Now<SteadySeconds>()};
245  int tested = 0;
246  for (int i = 1; i < argc; ++i) {
247  fs::path input_path(*(argv + i));
248  if (fs::is_directory(input_path)) {
249  for (fs::directory_iterator it(input_path); it != fs::directory_iterator(); ++it) {
250  if (!fs::is_regular_file(it->path())) continue;
251  g_input_path = it->path();
252  Assert(read_file(it->path(), buffer));
253  test_one_input(buffer);
254  ++tested;
255  buffer.clear();
256  }
257  } else {
258  g_input_path = input_path;
259  Assert(read_file(input_path, buffer));
260  test_one_input(buffer);
261  ++tested;
262  buffer.clear();
263  }
264  }
265  const auto end_time{Now<SteadySeconds>()};
266  std::cout << g_fuzz_target << ": succeeded against " << tested << " files in " << count_seconds(end_time - start_time) << "s." << std::endl;
267 #endif
268  return 0;
269 }
270 #endif
main
int main(int argc, char **argv)
Definition: bench_bitcoin.cpp:62
EXIT_SUCCESS
return EXIT_SUCCESS
Definition: bitcoin-wallet.cpp:138
Assert
#define Assert(val)
Identity function.
Definition: check.h:77
fs::path
Path class wrapper to block calls to the fs::path(std::string) implicit constructor and the fs::path:...
Definition: fs.h:33
fs::path::path
path(std::filesystem::path path)
Definition: fs.h:38
initialize
void initialize()
Definition: fuzz.cpp:103
FuzzTargets
auto & FuzzTargets()
Definition: fuzz.cpp:68
FuzzFrameworkRegisterTarget
void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, FuzzTargetOptions opts)
Definition: fuzz.cpp:74
G_TEST_LOG_FUN
const std::function< void(const std::string &)> G_TEST_LOG_FUN
This is connected to the logger.
Definition: fuzz.cpp:36
g_test_one_input
static const TypeTestOneInput * g_test_one_input
Definition: fuzz.cpp:81
SetArgs
static void SetArgs(int argc, char **argv)
Definition: fuzz.cpp:49
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition: fuzz.cpp:206
LLVMFuzzerInitialize
int LLVMFuzzerInitialize(int *argc, char ***argv)
Definition: fuzz.cpp:214
g_fuzz_target
static std::string_view g_fuzz_target
Definition: fuzz.cpp:80
ResetCoverageCounters
void ResetCoverageCounters()
Definition: fuzz.cpp:99
g_args
static std::vector< const char * > g_args
A copy of the command line arguments that start with --.
Definition: fuzz.cpp:47
G_TEST_COMMAND_LINE_ARGUMENTS
const std::function< std::vector< const char * >)> G_TEST_COMMAND_LINE_ARGUMENTS
Retrieve the command line arguments.
Definition: fuzz.cpp:59
G_TEST_GET_FULL_NAME
const std::function< std::string()> G_TEST_GET_FULL_NAME
Retrieve the unit test name.
Definition: fuzz.cpp:38
TypeTestOneInput
std::function< void(FuzzBufferType)> TypeTestOneInput
Definition: fuzz.h:27
fsbridge::fopen
FILE * fopen(const fs::path &p, const char *mode)
Definition: fs.cpp:26
WrappedGetAddrInfo
std::vector< CNetAddr > WrappedGetAddrInfo(const std::string &name, bool allow_lookup)
Wrapper for getaddrinfo(3).
Definition: netbase.cpp:45
CreateSock
std::function< std::unique_ptr< Sock >int, int, int)> CreateSock
Socket factory.
Definition: netbase.cpp:556
g_dns_lookup
DNSLookupFn g_dns_lookup
Definition: netbase.cpp:98
name
const char * name
Definition: rest.cpp:49
setup_common.h
FuzzTarget::test_one_input
const TypeTestOneInput test_one_input
Definition: fuzz.cpp:64
FuzzTarget::opts
const FuzzTargetOptions opts
Definition: fuzz.cpp:65
SeedRandomForTest
void SeedRandomForTest(SeedRand seedtype)
Seed the RNG for testing.
Definition: random.cpp:18
SeedRand::ZEROS
@ ZEROS
Seed with a compile time constant of zeros.
count_seconds
constexpr int64_t count_seconds(std::chrono::seconds t)
Definition: time.h:54
Generated on Sat Jul 27 2024 02:44:49 for Bitcoin Core by doxygen 1.9.1