doc/html/fuzz_8cpp_source.html

// Copyright (c) 2009-present The Bitcoin Core developers

// Distributed under the MIT software license, see the accompanying

// file COPYING or http://www.opensource.org/licenses/mit-license.php.


#include <test/fuzz/fuzz.h>


#include <netaddress.h>

#include <netbase.h>

#include <test/util/random.h>

#include <test/util/setup_common.h>

#include <util/check.h>

#include <util/fs.h>

#include <util/sock.h>

#include <util/time.h>


#include <csignal>

#include <cstdint>

#include <cstdio>

#include <cstdlib>

#include <cstring>

#include <exception>

#include <fstream>

#include <functional>

#include <iostream>

#include <map>

#include <memory>

#include <string>

#include <tuple>

#include <utility>

#include <vector>


#if defined(PROVIDE_FUZZ_MAIN_FUNCTION) && defined(__AFL_FUZZ_INIT)

__AFL_FUZZ_INIT();

#endif


const std::function<void(const std::string&)> G_TEST_LOG_FUN{};


const std::function<std::string()> G_TEST_GET_FULL_NAME{};


static std::vector<const char*> g_args;


static void SetArgs(int argc, char** argv) {

    for (int i = 1; i < argc; ++i) {

        // Only take into account arguments that start with `--`. The others are for the fuzz engine:

        // `fuzz -runs=1 fuzz_seed_corpus/address_deserialize_v2 --checkaddrman=5`

        if (strlen(argv[i]) > 2 && argv[i][0] == '-' && argv[i][1] == '-') {

            g_args.push_back(argv[i]);

        }

    }

}


const std::function<std::vector<const char*>()> G_TEST_COMMAND_LINE_ARGUMENTS = []() {

    return g_args;

};


struct FuzzTarget {

    const TypeTestOneInput test_one_input;

    const FuzzTargetOptions opts;

};


auto& FuzzTargets()

{

    static std::map<std::string_view, FuzzTarget> g_fuzz_targets;

    return g_fuzz_targets;

}


void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, FuzzTargetOptions opts)

{

    const auto [it, ins]{FuzzTargets().try_emplace(name, FuzzTarget /* temporary can be dropped after Apple-Clang-16 ? */ {std::move(target), std::move(opts)})};

    Assert(ins);

}


static std::string_view g_fuzz_target;

static const TypeTestOneInput* g_test_one_input{nullptr};


#if defined(__clang__) && defined(__linux__)

extern "C" void __llvm_profile_reset_counters(void) __attribute__((weak));

extern "C" void __gcov_reset(void) __attribute__((weak));


void ResetCoverageCounters()

{

    if (__llvm_profile_reset_counters) {

        __llvm_profile_reset_counters();

    }


    if (__gcov_reset) {

        __gcov_reset();

    }

}

#else

void ResetCoverageCounters() {}

#endif


void initialize()

{

    // By default, make the RNG deterministic with a fixed seed. This will affect all

    // randomness during the fuzz test, except:

    // - GetStrongRandBytes(), which is used for the creation of private key material.

    // - Creating a BasicTestingSetup or derived class will switch to a random seed.

    SeedRandomForTest(SeedRand::ZEROS);


    // Terminate immediately if a fuzzing harness ever tries to create a socket.

    // Individual tests can override this by pointing CreateSock to a mocked alternative.

    CreateSock = [](int, int, int) -> std::unique_ptr<Sock> { std::terminate(); };


    // Terminate immediately if a fuzzing harness ever tries to perform a DNS lookup.

    g_dns_lookup = [](const std::string& name, bool allow_lookup) {

        if (allow_lookup) {

            std::terminate();

        }

        return WrappedGetAddrInfo(name, false);

    };


    bool should_exit{false};

    if (std::getenv("PRINT_ALL_FUZZ_TARGETS_AND_ABORT")) {

        for (const auto& [name, t] : FuzzTargets()) {

            if (t.opts.hidden) continue;

            std::cout << name << std::endl;

        }

        should_exit = true;

    }

    if (const char* out_path = std::getenv("WRITE_ALL_FUZZ_TARGETS_AND_ABORT")) {

        std::cout << "Writing all fuzz target names to '" << out_path << "'." << std::endl;

        std::ofstream out_stream{out_path, std::ios::binary};

        for (const auto& [name, t] : FuzzTargets()) {

            if (t.opts.hidden) continue;

            out_stream << name << std::endl;

        }

        should_exit = true;

    }

    if (should_exit) {

        std::exit(EXIT_SUCCESS);

    }

    if (const auto* env_fuzz{std::getenv("FUZZ")}) {

        // To allow for easier fuzz executable binary modification,

        static std::string g_copy{env_fuzz}; // create copy to avoid compiler optimizations, and

        g_fuzz_target = g_copy.c_str();      // strip string after the first null-char.

    } else {

        std::cerr << "Must select fuzz target with the FUZZ env var." << std::endl;

        std::cerr << "Hint: Set the PRINT_ALL_FUZZ_TARGETS_AND_ABORT=1 env var to see all compiled targets." << std::endl;

        std::exit(EXIT_FAILURE);

    }

    const auto it = FuzzTargets().find(g_fuzz_target);

    if (it == FuzzTargets().end()) {

        std::cerr << "No fuzz target compiled for " << g_fuzz_target << "." << std::endl;

        std::exit(EXIT_FAILURE);

    }

    Assert(!g_test_one_input);

    g_test_one_input = &it->second.test_one_input;

    it->second.opts.init();


    ResetCoverageCounters();

}


#if defined(PROVIDE_FUZZ_MAIN_FUNCTION)

static bool read_stdin(std::vector<uint8_t>& data)

{

    std::istream::char_type buffer[1024];

    std::streamsize length;

    while ((std::cin.read(buffer, 1024), length = std::cin.gcount()) > 0) {

        data.insert(data.end(), buffer, buffer + length);

    }

    return length == 0;

}

#endif


#if defined(PROVIDE_FUZZ_MAIN_FUNCTION) && !defined(__AFL_LOOP)

static bool read_file(fs::path p, std::vector<uint8_t>& data)

{

    uint8_t buffer[1024];

    FILE* f = fsbridge::fopen(p, "rb");

    if (f == nullptr) return false;

    do {

        const size_t length = fread(buffer, sizeof(uint8_t), sizeof(buffer), f);

        if (ferror(f)) return false;

        data.insert(data.end(), buffer, buffer + length);

    } while (!feof(f));

    fclose(f);

    return true;

}

#endif


#if defined(PROVIDE_FUZZ_MAIN_FUNCTION) && !defined(__AFL_LOOP)

static fs::path g_input_path;

void signal_handler(int signal)

{

    if (signal == SIGABRT) {

        std::cerr << "Error processing input " << g_input_path << std::endl;

    } else {

        std::cerr << "Unexpected signal " << signal << " received\n";

    }

    std::_Exit(EXIT_FAILURE);

}

#endif


// This function is used by libFuzzer


extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)

{

    static const auto& test_one_input = *Assert(g_test_one_input);

    test_one_input({data, size});

    return 0;

}


// This function is used by libFuzzer


extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)

{

    SetArgs(*argc, *argv);

    initialize();

    return 0;

}


#if defined(PROVIDE_FUZZ_MAIN_FUNCTION)

int main(int argc, char** argv)

{

    initialize();

    static const auto& test_one_input = *Assert(g_test_one_input);

#ifdef __AFL_LOOP

    // Enable AFL persistent mode. Requires compilation using afl-clang-fast++.

    // See fuzzing.md for details.

    const uint8_t* buffer = __AFL_FUZZ_TESTCASE_BUF;

    while (__AFL_LOOP(100000)) {

        size_t buffer_len = __AFL_FUZZ_TESTCASE_LEN;

        test_one_input({buffer, buffer_len});

    }

#else

    std::vector<uint8_t> buffer;

    if (argc <= 1) {

        if (!read_stdin(buffer)) {

            return 0;

        }

        test_one_input(buffer);

        return 0;

    }

    std::signal(SIGABRT, signal_handler);

    const auto start_time{Now<SteadySeconds>()};

    int tested = 0;

    for (int i = 1; i < argc; ++i) {

        fs::path input_path(*(argv + i));

        if (fs::is_directory(input_path)) {

            for (fs::directory_iterator it(input_path); it != fs::directory_iterator(); ++it) {

                if (!fs::is_regular_file(it->path())) continue;

                g_input_path = it->path();

                Assert(read_file(it->path(), buffer));

                test_one_input(buffer);

                ++tested;

                buffer.clear();

            }

        } else {

            g_input_path = input_path;

            Assert(read_file(input_path, buffer));

            test_one_input(buffer);

            ++tested;

            buffer.clear();

        }

    }

    const auto end_time{Now<SteadySeconds>()};

    std::cout << g_fuzz_target << ": succeeded against " << tested << " files in " << count_seconds(end_time - start_time) << "s." << std::endl;

#endif

    return 0;

}

#endif

EXIT_SUCCESS
return EXIT_SUCCESS
Definition bitcoin-wallet.cpp:138

check.h

Assert
#define Assert(val)
Identity function.
Definition check.h:77

fs::path
Path class wrapper to block calls to the fs::path(std::string) implicit constructor and the fs::path:...
Definition fs.h:33

fs::path::path
path(std::filesystem::path path)
Definition fs.h:38

main
int main(void)
Definition bench.c:156

fs.h

initialize
void initialize()
Definition fuzz.cpp:103

FuzzTargets
auto & FuzzTargets()
Definition fuzz.cpp:68

FuzzFrameworkRegisterTarget
void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, FuzzTargetOptions opts)
Definition fuzz.cpp:74

G_TEST_LOG_FUN
const std::function< void(const std::string &)> G_TEST_LOG_FUN
This is connected to the logger.
Definition fuzz.cpp:36

g_test_one_input
static const TypeTestOneInput * g_test_one_input
Definition fuzz.cpp:81

SetArgs
static void SetArgs(int argc, char **argv)
Definition fuzz.cpp:49

G_TEST_COMMAND_LINE_ARGUMENTS
const std::function< std::vector< const char * >()> G_TEST_COMMAND_LINE_ARGUMENTS
Retrieve the command line arguments.
Definition fuzz.cpp:59

LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition fuzz.cpp:206

LLVMFuzzerInitialize
int LLVMFuzzerInitialize(int *argc, char ***argv)
Definition fuzz.cpp:214

g_fuzz_target
static std::string_view g_fuzz_target
Definition fuzz.cpp:80

ResetCoverageCounters
void ResetCoverageCounters()
Definition fuzz.cpp:99

g_args
static std::vector< const char * > g_args
A copy of the command line arguments that start with --.
Definition fuzz.cpp:47

G_TEST_GET_FULL_NAME
const std::function< std::string()> G_TEST_GET_FULL_NAME
Retrieve the unit test name.
Definition fuzz.cpp:38

fuzz.h

TypeTestOneInput
std::function< void(FuzzBufferType)> TypeTestOneInput
Definition fuzz.h:27

fsbridge::fopen
FILE * fopen(const fs::path &p, const char *mode)
Definition fs.cpp:26

netaddress.h

CreateSock
std::function< std::unique_ptr< Sock >(int, int, int)> CreateSock
Socket factory.
Definition netbase.cpp:557

WrappedGetAddrInfo
std::vector< CNetAddr > WrappedGetAddrInfo(const std::string &name, bool allow_lookup)
Wrapper for getaddrinfo(3).
Definition netbase.cpp:45

g_dns_lookup
DNSLookupFn g_dns_lookup
Definition netbase.cpp:98

netbase.h

name
const char * name
Definition rest.cpp:49

setup_common.h

sock.h

ByteUnit::t
@ t

FuzzTarget
Definition fuzz.cpp:63

FuzzTarget::test_one_input
const TypeTestOneInput test_one_input
Definition fuzz.cpp:64

FuzzTarget::opts
const FuzzTargetOptions opts
Definition fuzz.cpp:65

FuzzTargetOptions
Definition fuzz.h:28

SeedRandomForTest
void SeedRandomForTest(SeedRand seedtype)
Seed the RNG for testing.
Definition random.cpp:18

random.h

SeedRand::ZEROS
@ ZEROS
Seed with a compile time constant of zeros.

time.h

Now
T Now()
Return the current time point cast to the given precision.
Definition time.h:91

count_seconds
constexpr int64_t count_seconds(std::chrono::seconds t)
Definition time.h:54