Bitcoin Core  26.1.0
P2P Digital Currency
fuzz.cpp
Go to the documentation of this file.
1 // Copyright (c) 2009-2022 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 #include <test/fuzz/fuzz.h>
6 
7 #include <netaddress.h>
8 #include <netbase.h>
9 #include <test/util/setup_common.h>
10 #include <util/check.h>
11 #include <util/fs.h>
12 #include <util/sock.h>
13 #include <util/time.h>
14 
15 #include <csignal>
16 #include <cstdint>
17 #include <cstdio>
18 #include <cstdlib>
19 #include <cstring>
20 #include <exception>
21 #include <fstream>
22 #include <functional>
23 #include <iostream>
24 #include <map>
25 #include <memory>
26 #include <string>
27 #include <tuple>
28 #include <unistd.h>
29 #include <utility>
30 #include <vector>
31 
32 #if defined(PROVIDE_FUZZ_MAIN_FUNCTION) && defined(__AFL_FUZZ_INIT)
33 __AFL_FUZZ_INIT();
34 #endif
35 
36 const std::function<void(const std::string&)> G_TEST_LOG_FUN{};
37 
45 static std::vector<const char*> g_args;
46 
47 static void SetArgs(int argc, char** argv) {
48  for (int i = 1; i < argc; ++i) {
49  // Only take into account arguments that start with `--`. The others are for the fuzz engine:
50  // `fuzz -runs=1 fuzz_seed_corpus/address_deserialize_v2 --checkaddrman=5`
51  if (strlen(argv[i]) > 2 && argv[i][0] == '-' && argv[i][1] == '-') {
52  g_args.push_back(argv[i]);
53  }
54  }
55 }
56 
57 const std::function<std::vector<const char*>()> G_TEST_COMMAND_LINE_ARGUMENTS = []() {
58  return g_args;
59 };
60 
61 struct FuzzTarget {
62  const TypeTestOneInput test_one_input;
63  const FuzzTargetOptions opts;
64 };
65 
66 auto& FuzzTargets()
67 {
68  static std::map<std::string_view, FuzzTarget> g_fuzz_targets;
69  return g_fuzz_targets;
70 }
71 
72 void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, FuzzTargetOptions opts)
73 {
74  const auto it_ins{FuzzTargets().try_emplace(name, FuzzTarget /* temporary can be dropped in C++20 */ {std::move(target), std::move(opts)})};
75  Assert(it_ins.second);
76 }
77 
78 static std::string_view g_fuzz_target;
79 static const TypeTestOneInput* g_test_one_input{nullptr};
80 
81 void initialize()
82 {
83  // Terminate immediately if a fuzzing harness ever tries to create a TCP socket.
84  CreateSock = [](const CService&) -> std::unique_ptr<Sock> { std::terminate(); };
85 
86  // Terminate immediately if a fuzzing harness ever tries to perform a DNS lookup.
87  g_dns_lookup = [](const std::string& name, bool allow_lookup) {
88  if (allow_lookup) {
89  std::terminate();
90  }
91  return WrappedGetAddrInfo(name, false);
92  };
93 
94  bool should_exit{false};
95  if (std::getenv("PRINT_ALL_FUZZ_TARGETS_AND_ABORT")) {
96  for (const auto& [name, t] : FuzzTargets()) {
97  if (t.opts.hidden) continue;
98  std::cout << name << std::endl;
99  }
100  should_exit = true;
101  }
102  if (const char* out_path = std::getenv("WRITE_ALL_FUZZ_TARGETS_AND_ABORT")) {
103  std::cout << "Writing all fuzz target names to '" << out_path << "'." << std::endl;
104  std::ofstream out_stream{out_path, std::ios::binary};
105  for (const auto& [name, t] : FuzzTargets()) {
106  if (t.opts.hidden) continue;
107  out_stream << name << std::endl;
108  }
109  should_exit = true;
110  }
111  if (should_exit) {
112  std::exit(EXIT_SUCCESS);
113  }
114  if (const auto* env_fuzz{std::getenv("FUZZ")}) {
115  // To allow for easier fuzz executable binary modification,
116  static std::string g_copy{env_fuzz}; // create copy to avoid compiler optimizations, and
117  g_fuzz_target = g_copy.c_str(); // strip string after the first null-char.
118  } else {
119  std::cerr << "Must select fuzz target with the FUZZ env var." << std::endl;
120  std::cerr << "Hint: Set the PRINT_ALL_FUZZ_TARGETS_AND_ABORT=1 env var to see all compiled targets." << std::endl;
121  std::exit(EXIT_FAILURE);
122  }
123  const auto it = FuzzTargets().find(g_fuzz_target);
124  if (it == FuzzTargets().end()) {
125  std::cerr << "No fuzz target compiled for " << g_fuzz_target << "." << std::endl;
126  std::exit(EXIT_FAILURE);
127  }
128  Assert(!g_test_one_input);
129  g_test_one_input = &it->second.test_one_input;
130  it->second.opts.init();
131 }
132 
133 #if defined(PROVIDE_FUZZ_MAIN_FUNCTION)
134 static bool read_stdin(std::vector<uint8_t>& data)
135 {
136  uint8_t buffer[1024];
137  ssize_t length = 0;
138  while ((length = read(STDIN_FILENO, buffer, 1024)) > 0) {
139  data.insert(data.end(), buffer, buffer + length);
140  }
141  return length == 0;
142 }
143 #endif
144 
145 #if defined(PROVIDE_FUZZ_MAIN_FUNCTION) && !defined(__AFL_LOOP)
146 static bool read_file(fs::path p, std::vector<uint8_t>& data)
147 {
148  uint8_t buffer[1024];
149  FILE* f = fsbridge::fopen(p, "rb");
150  if (f == nullptr) return false;
151  do {
152  const size_t length = fread(buffer, sizeof(uint8_t), sizeof(buffer), f);
153  if (ferror(f)) return false;
154  data.insert(data.end(), buffer, buffer + length);
155  } while (!feof(f));
156  fclose(f);
157  return true;
158 }
159 #endif
160 
161 #if defined(PROVIDE_FUZZ_MAIN_FUNCTION) && !defined(__AFL_LOOP)
162 static fs::path g_input_path;
163 void signal_handler(int signal)
164 {
165  if (signal == SIGABRT) {
166  std::cerr << "Error processing input " << g_input_path << std::endl;
167  } else {
168  std::cerr << "Unexpected signal " << signal << " received\n";
169  }
170  std::_Exit(EXIT_FAILURE);
171 }
172 #endif
173 
174 // This function is used by libFuzzer
175 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
176 {
177  static const auto& test_one_input = *Assert(g_test_one_input);
178  test_one_input({data, size});
179  return 0;
180 }
181 
182 // This function is used by libFuzzer
183 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
184 {
185  SetArgs(*argc, *argv);
186  initialize();
187  return 0;
188 }
189 
190 #if defined(PROVIDE_FUZZ_MAIN_FUNCTION)
191 int main(int argc, char** argv)
192 {
193  initialize();
194  static const auto& test_one_input = *Assert(g_test_one_input);
195 #ifdef __AFL_LOOP
196  // Enable AFL persistent mode. Requires compilation using afl-clang-fast++.
197  // See fuzzing.md for details.
198  const uint8_t* buffer = __AFL_FUZZ_TESTCASE_BUF;
199  while (__AFL_LOOP(100000)) {
200  size_t buffer_len = __AFL_FUZZ_TESTCASE_LEN;
201  test_one_input({buffer, buffer_len});
202  }
203 #else
204  std::vector<uint8_t> buffer;
205  if (argc <= 1) {
206  if (!read_stdin(buffer)) {
207  return 0;
208  }
209  test_one_input(buffer);
210  return 0;
211  }
212  std::signal(SIGABRT, signal_handler);
213  const auto start_time{Now<SteadySeconds>()};
214  int tested = 0;
215  for (int i = 1; i < argc; ++i) {
216  fs::path input_path(*(argv + i));
217  if (fs::is_directory(input_path)) {
218  for (fs::directory_iterator it(input_path); it != fs::directory_iterator(); ++it) {
219  if (!fs::is_regular_file(it->path())) continue;
220  g_input_path = it->path();
221  Assert(read_file(it->path(), buffer));
222  test_one_input(buffer);
223  ++tested;
224  buffer.clear();
225  }
226  } else {
227  g_input_path = input_path;
228  Assert(read_file(input_path, buffer));
229  test_one_input(buffer);
230  ++tested;
231  buffer.clear();
232  }
233  }
234  const auto end_time{Now<SteadySeconds>()};
235  std::cout << g_fuzz_target << ": succeeded against " << tested << " files in " << count_seconds(end_time - start_time) << "s." << std::endl;
236 #endif
237  return 0;
238 }
239 #endif
EXIT_SUCCESS
return EXIT_SUCCESS
Definition: bitcoin-wallet.cpp:140
G_TEST_COMMAND_LINE_ARGUMENTS
const std::function< std::vector< const char * >)> G_TEST_COMMAND_LINE_ARGUMENTS
Retrieve the command line arguments.
Definition: fuzz.cpp:57
initialize
void initialize()
Definition: fuzz.cpp:81
fsbridge::fopen
FILE * fopen(const fs::path &p, const char *mode)
Definition: fs.cpp:25
LLVMFuzzerInitialize
int LLVMFuzzerInitialize(int *argc, char ***argv)
Definition: fuzz.cpp:183
g_test_one_input
static const TypeTestOneInput * g_test_one_input
Definition: fuzz.cpp:79
FuzzTargets
auto & FuzzTargets()
Definition: fuzz.cpp:66
SetArgs
static void SetArgs(int argc, char **argv)
Definition: fuzz.cpp:47
TypeTestOneInput
std::function< void(FuzzBufferType)> TypeTestOneInput
Definition: fuzz.h:23
FuzzTarget::test_one_input
const TypeTestOneInput test_one_input
Definition: fuzz.cpp:62
G_TEST_LOG_FUN
const std::function< void(const std::string &)> G_TEST_LOG_FUN
This is connected to the logger.
Definition: fuzz.cpp:36
g_dns_lookup
DNSLookupFn g_dns_lookup
Definition: netbase.cpp:79
g_args
static std::vector< const char * > g_args
A copy of the command line arguments that start with --.
Definition: fuzz.cpp:45
WrappedGetAddrInfo
std::vector< CNetAddr > WrappedGetAddrInfo(const std::string &name, bool allow_lookup)
Wrapper for getaddrinfo(3).
Definition: netbase.cpp:37
name
const char * name
Definition: rest.cpp:45
CService
A combination of a network address (CNetAddr) and a (TCP) port.
Definition: netaddress.h:534
setup_common.h
fs::path::path
path(std::filesystem::path path)
Definition: fs.h:36
count_seconds
constexpr int64_t count_seconds(std::chrono::seconds t)
Definition: time.h:54
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition: fuzz.cpp:175
main
int main(int argc, char **argv)
Definition: bench_bitcoin.cpp:60
g_fuzz_target
static std::string_view g_fuzz_target
Definition: fuzz.cpp:78
CreateSock
std::function< std::unique_ptr< Sock >const CService &)> CreateSock
Socket factory.
Definition: netbase.cpp:502
FuzzFrameworkRegisterTarget
void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, FuzzTargetOptions opts)
Definition: fuzz.cpp:72
FuzzTarget::opts
const FuzzTargetOptions opts
Definition: fuzz.cpp:63
fs::path
Path class wrapper to block calls to the fs::path(std::string) implicit constructor and the fs::path:...
Definition: fs.h:30
Assert
#define Assert(val)
Identity function.
Definition: check.h:73
Generated on Thu Mar 28 2024 12:00:00 for Bitcoin Core by   doxygen 1.8.14