shithub: puzzles

Download patch

ref: 80de73a6aa4c4e726860c492d2264d4958a56b0d
parent: 5ba227031c865aff55fdaf7c9a1b0e8abcbbabc4
author: Ben Harris <[email protected]>
date: Mon Feb 20 17:53:33 EST 2023

Try to clean up fuzzpuzz a bit

I've separated out the various versions of main(), which has helped a
little bit.  I've also stopped using fmemopen() since libFuzzer might
work on Windows.  But I think I probably still have something
fundamentally wrong in my approach.

--- a/fuzzpuzz.c
+++ b/fuzzpuzz.c
@@ -23,6 +23,15 @@
  * cmake --build build-honggfuzz --target fuzzpuzz
  * mkdir fuzz-corpus && ln icons/''*.sav fuzz-corpus
  * honggfuzz -s -i fuzz-corpus -w fuzzpuzz.dict -- build-honggfuzz/fuzzpuzz
+ *
+ * You can also use libFuzzer, though it's not really a good fit for
+ * Puzzles.  The experimental forking mode seems to work OK:
+ *
+ * CC=clang cmake -B build-clang
+ * cmake --build build-clang --target fuzzpuzz-libfuzzer
+ * mkdir fuzz-corpus && ln icons/''*.sav fuzz-corpus
+ * build-clang/fuzzpuzz-libfuzzer -fork=1 -ignore_crashes=1 \
+ *   -dict=fuzzpuzz.dict fuzz-corpus
  */
 
 #include <stdbool.h>
@@ -85,22 +94,8 @@
     return NULL;
 }
 
-static bool savefile_read(void *wctx, void *buf, int len)
-{
-    FILE *fp = (FILE *)wctx;
-    int ret;
-
-    ret = fread(buf, 1, len, fp);
-    return (ret == len);
-}
-
-static void savefile_rewind(void *wctx)
-{
-    FILE *fp = (FILE *)wctx;
-
-    rewind(fp);
-}
-
+#if defined(__AFL_FUZZ_TESTCASE_LEN) || defined(HAVE_HF_ITER) || \
+    !defined(OMIT_MAIN)
 static void savefile_write(void *wctx, const void *buf, int len)
 {
     FILE *fp = (FILE *)wctx;
@@ -107,6 +102,7 @@
 
     fwrite(buf, 1, len, fp);
 }
+#endif
 
 struct memread {
     const unsigned char *buf;
@@ -145,66 +141,110 @@
     return 0;
 }
 
-#ifndef OMIT_MAIN
+#if defined(__AFL_FUZZ_TESTCASE_LEN) || defined(HAVE_HF_ITER)
+static const char *fuzz_one_mem(unsigned char *data, size_t size) {
+    struct memread ctx;
+
+    ctx.buf = data;
+    ctx.len = size;
+    ctx.pos = 0;
+    return fuzz_one(mem_read, &ctx, mem_rewind, savefile_write, stdout);
+}
+#endif
+
+/* 
+ * Three different versions of main(), for standalone, AFL, and
+ * Honggfuzz modes.  LibFuzzer brings its own main().
+ */
+
+#ifdef OMIT_MAIN
+/* Nothing. */
+#elif defined(__AFL_FUZZ_TESTCASE_LEN)
+/*
+ * AFL persistent mode, where we fuzz from a RAM buffer provided
+ * by AFL in a loop.  This version can still be run standalone if
+ * necessary, for instance to diagnose a crash.
+ */
 int main(int argc, char **argv)
 {
     const char *err;
-    int ret = -1;
-    FILE *in = NULL;
+    int ret;
 
     if (argc != 1) {
         fprintf(stderr, "usage: %s\n", argv[0]);
-        exit(1);
+        return 1;
     }
-
 #ifdef __AFL_HAVE_MANUAL_CONTROL
     __AFL_INIT();
 #endif
-
-#ifdef __AFL_FUZZ_TESTCASE_LEN
-    /*
-     * AFL persistent mode, where we fuzz from a RAM buffer provided
-     * by AFL in a loop.  This version can still be run standalone if
-     * necessary, for instance to diagnose a crash.
-     */
-
     while (__AFL_LOOP(10000)) {
-        if (in != NULL) fclose(in);
-        in = fmemopen(__AFL_FUZZ_TESTCASE_BUF, __AFL_FUZZ_TESTCASE_LEN, "r");
-        if (in == NULL) {
-            fprintf(stderr, "fmemopen failed");
+        err = fuzz_one_mem(__AFL_FUZZ_TESTCASE_BUF, __AFL_FUZZ_TESTCASE_LEN);
+        if (err != NULL) {
+            fprintf(stderr, "%s\n", err);
             ret = 1;
-            continue;
-        }
+        } else
+            ret = 0;
+    }
+    return ret;
+}
 #elif defined(HAVE_HF_ITER)
-    /*
-     * Honggfuzz persistent mode.  Unlike AFL persistent mode, the
-     * resulting executable cannot be run outside of Honggfuzz.
-     */
+/*
+ * Honggfuzz persistent mode.  Unlike AFL persistent mode, the
+ * resulting executable cannot be run outside of Honggfuzz.
+ */
+int main(int argc, char **argv)
+{
+    if (argc != 1) {
+        fprintf(stderr, "usage: %s\n", argv[0]);
+        return 1;
+    }
     while (true) {
         unsigned char *testcase_buf;
         size_t testcase_len;
-        if (in != NULL) fclose(in);
         HF_ITER(&testcase_buf, &testcase_len);
-        in = fmemopen(testcase_buf, testcase_len, "r");
-        if (in == NULL) {
-            fprintf(stderr, "fmemopen failed");
-            ret = 1;
-            continue;
-        }
+        fuzz_one_mem(testcase_buf, testcase_len);
+    }
+}
 #else
-    in = stdin;
-    while (ret == -1) {
+/*
+ * Stand-alone mode: just handle a single test case on stdin.
+ */
+static bool savefile_read(void *wctx, void *buf, int len)
+{
+    FILE *fp = (FILE *)wctx;
+    int ret;
+
+    ret = fread(buf, 1, len, fp);
+    return (ret == len);
+}
+
+static void savefile_rewind(void *wctx)
+{
+    FILE *fp = (FILE *)wctx;
+
+    rewind(fp);
+}
+
+int main(int argc, char **argv)
+{
+    const char *err;
+
+    if (argc != 1) {
+        fprintf(stderr, "usage: %s\n", argv[0]);
+        return 1;
+    }
+
+    /* Might in theory use this mode under AFL. */
+#ifdef __AFL_HAVE_MANUAL_CONTROL
+    __AFL_INIT();
 #endif
-        err = fuzz_one(savefile_read, in, savefile_rewind,
-                       savefile_write, stdout);
-        if (err == NULL) {
-            ret = 0;
-        } else {
-            fprintf(stderr, "%s\n", err);
-            ret = 1;
-        }
+
+    err = fuzz_one(savefile_read, stdin, savefile_rewind,
+                   savefile_write, stdout);
+    if (err != NULL) {
+        fprintf(stderr, "%s\n", err);
+        return 1;
     }
-    return ret;
+    return 0;
 }
 #endif