2020-06-20 08:15:38 +08:00
|
|
|
//===-- strcmp_fuzz.cpp ---------------------------------------------------===//
|
|
|
|
//
|
|
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
///
|
|
|
|
/// Fuzzing test for llvm-libc strcmp implementation.
|
|
|
|
///
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
#include "src/string/strcmp.h"
|
2020-06-23 20:12:18 +08:00
|
|
|
#include <stddef.h>
|
2020-06-20 08:15:38 +08:00
|
|
|
#include <stdint.h>
|
|
|
|
|
[libc] This commit fixes the strcmp fuzzing test. It uses a single input and
splits it into two by using the value of the first byte to determine the
length of the first string. Reviewed-by: PaulkaToast, Differential
Revision: https://reviews.llvm.org/D82427
Summary:
[libc] Since only one input is given, it is necessary to split the string into two containers so that they can be compared for the purposes of this fuzz test. This is done in the following manner:
1. Take the value of the first byte; this is size1. (Credits to @PaulkaToast for this idea).
2. size2 is the value of size - size1.
3. Copy the characters to new containers, data1 and data2 with corresponding sizes.
4. Add a null terminator to the first container, and verify the second container has a null terminator.
5. Verify output of strcmp.
A simpler alternative considered was simply splitting the input data into two, but this means the two strings are always within +- 1 character of each other. This above implementation avoids this.
ninja check-libc was run; no issues.
Reviewers: PaulkaToast, sivachandra
Reviewed By: PaulkaToast
Subscribers: mgorny, tschuett, ecnelises, libc-commits, PaulkaToast
Tags: #libc-project
Differential Revision: https://reviews.llvm.org/D82427
2020-06-29 01:33:56 +08:00
|
|
|
// The general structure is to take the value of the first byte, set size1 to
|
|
|
|
// that value, and add the null terminator. size2 will then contain the rest of
|
|
|
|
// the bytes in data.
|
|
|
|
// For example, with inputs (data={2, 6, 4, 8, 0}, size=5):
|
|
|
|
// size1: data[0] = 2
|
|
|
|
// data1: {2, 6} + '\0' = {2, 6, '\0'}
|
|
|
|
// size2: size - size1 = 3
|
|
|
|
// data2: {4, 8, '\0'}
|
|
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
|
|
|
// Verify the size is at least 1 and the data is null terminated.
|
|
|
|
if (!size || data[size - 1] != '\0')
|
2020-06-20 08:15:38 +08:00
|
|
|
return 0;
|
|
|
|
|
[libc] This commit fixes the strcmp fuzzing test. It uses a single input and
splits it into two by using the value of the first byte to determine the
length of the first string. Reviewed-by: PaulkaToast, Differential
Revision: https://reviews.llvm.org/D82427
Summary:
[libc] Since only one input is given, it is necessary to split the string into two containers so that they can be compared for the purposes of this fuzz test. This is done in the following manner:
1. Take the value of the first byte; this is size1. (Credits to @PaulkaToast for this idea).
2. size2 is the value of size - size1.
3. Copy the characters to new containers, data1 and data2 with corresponding sizes.
4. Add a null terminator to the first container, and verify the second container has a null terminator.
5. Verify output of strcmp.
A simpler alternative considered was simply splitting the input data into two, but this means the two strings are always within +- 1 character of each other. This above implementation avoids this.
ninja check-libc was run; no issues.
Reviewers: PaulkaToast, sivachandra
Reviewed By: PaulkaToast
Subscribers: mgorny, tschuett, ecnelises, libc-commits, PaulkaToast
Tags: #libc-project
Differential Revision: https://reviews.llvm.org/D82427
2020-06-29 01:33:56 +08:00
|
|
|
const size_t size1 = (data[0] <= size ? data[0] : size);
|
|
|
|
const size_t size2 = size - size1;
|
2020-06-20 08:15:38 +08:00
|
|
|
|
[libc] This commit fixes the strcmp fuzzing test. It uses a single input and
splits it into two by using the value of the first byte to determine the
length of the first string. Reviewed-by: PaulkaToast, Differential
Revision: https://reviews.llvm.org/D82427
Summary:
[libc] Since only one input is given, it is necessary to split the string into two containers so that they can be compared for the purposes of this fuzz test. This is done in the following manner:
1. Take the value of the first byte; this is size1. (Credits to @PaulkaToast for this idea).
2. size2 is the value of size - size1.
3. Copy the characters to new containers, data1 and data2 with corresponding sizes.
4. Add a null terminator to the first container, and verify the second container has a null terminator.
5. Verify output of strcmp.
A simpler alternative considered was simply splitting the input data into two, but this means the two strings are always within +- 1 character of each other. This above implementation avoids this.
ninja check-libc was run; no issues.
Reviewers: PaulkaToast, sivachandra
Reviewed By: PaulkaToast
Subscribers: mgorny, tschuett, ecnelises, libc-commits, PaulkaToast
Tags: #libc-project
Differential Revision: https://reviews.llvm.org/D82427
2020-06-29 01:33:56 +08:00
|
|
|
// The first size will always be at least 1 since
|
|
|
|
// we need to append the null terminator. The second size
|
|
|
|
// needs to be checked since it must also contain the null
|
|
|
|
// terminator.
|
|
|
|
if (!size2)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
// Copy the data into new containers.
|
|
|
|
// Add one to data1 for null terminator.
|
|
|
|
uint8_t *data1 = new uint8_t[size1 + 1];
|
|
|
|
uint8_t *data2 = new uint8_t[size2];
|
|
|
|
if (!data1 || !data2)
|
|
|
|
__builtin_trap();
|
2020-06-20 08:15:38 +08:00
|
|
|
|
|
|
|
size_t i;
|
[libc] This commit fixes the strcmp fuzzing test. It uses a single input and
splits it into two by using the value of the first byte to determine the
length of the first string. Reviewed-by: PaulkaToast, Differential
Revision: https://reviews.llvm.org/D82427
Summary:
[libc] Since only one input is given, it is necessary to split the string into two containers so that they can be compared for the purposes of this fuzz test. This is done in the following manner:
1. Take the value of the first byte; this is size1. (Credits to @PaulkaToast for this idea).
2. size2 is the value of size - size1.
3. Copy the characters to new containers, data1 and data2 with corresponding sizes.
4. Add a null terminator to the first container, and verify the second container has a null terminator.
5. Verify output of strcmp.
A simpler alternative considered was simply splitting the input data into two, but this means the two strings are always within +- 1 character of each other. This above implementation avoids this.
ninja check-libc was run; no issues.
Reviewers: PaulkaToast, sivachandra
Reviewed By: PaulkaToast
Subscribers: mgorny, tschuett, ecnelises, libc-commits, PaulkaToast
Tags: #libc-project
Differential Revision: https://reviews.llvm.org/D82427
2020-06-29 01:33:56 +08:00
|
|
|
for (i = 0; i < size1; ++i)
|
|
|
|
data1[i] = data[i];
|
|
|
|
data1[size1] = '\0'; // Add null terminator to data1.
|
|
|
|
|
|
|
|
for (size_t j = 0; j < size2; ++j)
|
|
|
|
data2[j] = data[i++];
|
2020-06-20 08:15:38 +08:00
|
|
|
|
[libc] This commit fixes the strcmp fuzzing test. It uses a single input and
splits it into two by using the value of the first byte to determine the
length of the first string. Reviewed-by: PaulkaToast, Differential
Revision: https://reviews.llvm.org/D82427
Summary:
[libc] Since only one input is given, it is necessary to split the string into two containers so that they can be compared for the purposes of this fuzz test. This is done in the following manner:
1. Take the value of the first byte; this is size1. (Credits to @PaulkaToast for this idea).
2. size2 is the value of size - size1.
3. Copy the characters to new containers, data1 and data2 with corresponding sizes.
4. Add a null terminator to the first container, and verify the second container has a null terminator.
5. Verify output of strcmp.
A simpler alternative considered was simply splitting the input data into two, but this means the two strings are always within +- 1 character of each other. This above implementation avoids this.
ninja check-libc was run; no issues.
Reviewers: PaulkaToast, sivachandra
Reviewed By: PaulkaToast
Subscribers: mgorny, tschuett, ecnelises, libc-commits, PaulkaToast
Tags: #libc-project
Differential Revision: https://reviews.llvm.org/D82427
2020-06-29 01:33:56 +08:00
|
|
|
const char *s1 = reinterpret_cast<const char *>(data1);
|
|
|
|
const char *s2 = reinterpret_cast<const char *>(data2);
|
|
|
|
size_t k = 0;
|
|
|
|
// Iterate until a null terminator is hit or the character comparison is
|
|
|
|
// different.
|
|
|
|
while (s1[k] && s2[k] && s1[k] == s2[k])
|
|
|
|
++k;
|
2020-06-20 08:15:38 +08:00
|
|
|
|
[libc] This commit fixes the strcmp fuzzing test. It uses a single input and
splits it into two by using the value of the first byte to determine the
length of the first string. Reviewed-by: PaulkaToast, Differential
Revision: https://reviews.llvm.org/D82427
Summary:
[libc] Since only one input is given, it is necessary to split the string into two containers so that they can be compared for the purposes of this fuzz test. This is done in the following manner:
1. Take the value of the first byte; this is size1. (Credits to @PaulkaToast for this idea).
2. size2 is the value of size - size1.
3. Copy the characters to new containers, data1 and data2 with corresponding sizes.
4. Add a null terminator to the first container, and verify the second container has a null terminator.
5. Verify output of strcmp.
A simpler alternative considered was simply splitting the input data into two, but this means the two strings are always within +- 1 character of each other. This above implementation avoids this.
ninja check-libc was run; no issues.
Reviewers: PaulkaToast, sivachandra
Reviewed By: PaulkaToast
Subscribers: mgorny, tschuett, ecnelises, libc-commits, PaulkaToast
Tags: #libc-project
Differential Revision: https://reviews.llvm.org/D82427
2020-06-29 01:33:56 +08:00
|
|
|
const unsigned char ch1 = static_cast<unsigned char>(s1[k]);
|
|
|
|
const unsigned char ch2 = static_cast<unsigned char>(s2[k]);
|
2020-06-20 08:15:38 +08:00
|
|
|
// The expected result should be the difference between the first non-equal
|
|
|
|
// characters of s1 and s2. If all characters are equal, the expected result
|
|
|
|
// should be '\0' - '\0' = 0.
|
[libc] This commit fixes the strcmp fuzzing test. It uses a single input and
splits it into two by using the value of the first byte to determine the
length of the first string. Reviewed-by: PaulkaToast, Differential
Revision: https://reviews.llvm.org/D82427
Summary:
[libc] Since only one input is given, it is necessary to split the string into two containers so that they can be compared for the purposes of this fuzz test. This is done in the following manner:
1. Take the value of the first byte; this is size1. (Credits to @PaulkaToast for this idea).
2. size2 is the value of size - size1.
3. Copy the characters to new containers, data1 and data2 with corresponding sizes.
4. Add a null terminator to the first container, and verify the second container has a null terminator.
5. Verify output of strcmp.
A simpler alternative considered was simply splitting the input data into two, but this means the two strings are always within +- 1 character of each other. This above implementation avoids this.
ninja check-libc was run; no issues.
Reviewers: PaulkaToast, sivachandra
Reviewed By: PaulkaToast
Subscribers: mgorny, tschuett, ecnelises, libc-commits, PaulkaToast
Tags: #libc-project
Differential Revision: https://reviews.llvm.org/D82427
2020-06-29 01:33:56 +08:00
|
|
|
if (__llvm_libc::strcmp(s1, s2) != ch1 - ch2)
|
2020-06-20 08:15:38 +08:00
|
|
|
__builtin_trap();
|
|
|
|
|
|
|
|
// Verify reversed operands. This should be the negated value of the previous
|
|
|
|
// result, except of course if the previous result was zero.
|
[libc] This commit fixes the strcmp fuzzing test. It uses a single input and
splits it into two by using the value of the first byte to determine the
length of the first string. Reviewed-by: PaulkaToast, Differential
Revision: https://reviews.llvm.org/D82427
Summary:
[libc] Since only one input is given, it is necessary to split the string into two containers so that they can be compared for the purposes of this fuzz test. This is done in the following manner:
1. Take the value of the first byte; this is size1. (Credits to @PaulkaToast for this idea).
2. size2 is the value of size - size1.
3. Copy the characters to new containers, data1 and data2 with corresponding sizes.
4. Add a null terminator to the first container, and verify the second container has a null terminator.
5. Verify output of strcmp.
A simpler alternative considered was simply splitting the input data into two, but this means the two strings are always within +- 1 character of each other. This above implementation avoids this.
ninja check-libc was run; no issues.
Reviewers: PaulkaToast, sivachandra
Reviewed By: PaulkaToast
Subscribers: mgorny, tschuett, ecnelises, libc-commits, PaulkaToast
Tags: #libc-project
Differential Revision: https://reviews.llvm.org/D82427
2020-06-29 01:33:56 +08:00
|
|
|
if (__llvm_libc::strcmp(s2, s1) != ch2 - ch1)
|
2020-06-20 08:15:38 +08:00
|
|
|
__builtin_trap();
|
|
|
|
|
[libc] This commit fixes the strcmp fuzzing test. It uses a single input and
splits it into two by using the value of the first byte to determine the
length of the first string. Reviewed-by: PaulkaToast, Differential
Revision: https://reviews.llvm.org/D82427
Summary:
[libc] Since only one input is given, it is necessary to split the string into two containers so that they can be compared for the purposes of this fuzz test. This is done in the following manner:
1. Take the value of the first byte; this is size1. (Credits to @PaulkaToast for this idea).
2. size2 is the value of size - size1.
3. Copy the characters to new containers, data1 and data2 with corresponding sizes.
4. Add a null terminator to the first container, and verify the second container has a null terminator.
5. Verify output of strcmp.
A simpler alternative considered was simply splitting the input data into two, but this means the two strings are always within +- 1 character of each other. This above implementation avoids this.
ninja check-libc was run; no issues.
Reviewers: PaulkaToast, sivachandra
Reviewed By: PaulkaToast
Subscribers: mgorny, tschuett, ecnelises, libc-commits, PaulkaToast
Tags: #libc-project
Differential Revision: https://reviews.llvm.org/D82427
2020-06-29 01:33:56 +08:00
|
|
|
delete[] data1;
|
|
|
|
delete[] data2;
|
2020-06-20 08:15:38 +08:00
|
|
|
return 0;
|
|
|
|
}
|