Basic Fuzz Testing.

[100%] Fuzzing libosrm /tmp/osrm-backend/build/fuzz/driver -max_len=4096 corpus > fuzz-0.log 2>&1 /tmp/osrm-backend/build/fuzz/driver -max_len=4096 corpus > fuzz-1.log 2>&1 /tmp/osrm-backend/build/fuzz/driver -max_len=4096 corpus > fuzz-2.log 2>&1 /tmp/osrm-backend/build/fuzz/driver -max_len=4096 corpus > fuzz-3.log 2>&1 References: - http://llvm.org/docs/LibFuzzer.html - http://llvm.org/releases/3.8.0/docs/LibFuzzer.html - https://github.com/Project-OSRM/osrm-backend/issues/1678
2016-04-12 11:58:43 +02:00 · 2016-04-12 11:58:43 +02:00 · 2557bdcf39
commit 2557bdcf39
parent 12d478784b
3 changed files with 66 additions and 0 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -54,6 +54,7 @@ option(ENABLE_ASSERTIONS OFF)
 option(COVERAGE OFF)
 option(SANITIZER OFF)
 option(ENABLE_LTO "Use LTO if available" ON)
+option(ENABLE_FUZZING "Fuzz testing using LLVM's libFuzzer" OFF)

 include_directories(BEFORE ${CMAKE_CURRENT_BINARY_DIR}/include/)
 include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR}/include/)
@ -244,6 +245,7 @@ if(UNIX AND NOT APPLE)
  set(MAYBE_RT_LIBRARY rt)
 endif()

+
 list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/third_party/libosmium/cmake")
 set(OSMIUM_INCLUDE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/third_party/libosmium/include")
 find_package(Osmium REQUIRED COMPONENTS io)
@ -498,3 +500,10 @@ add_custom_target(uninstall
 # Modular build system: each directory registered here provides its own CMakeLists.txt
 add_subdirectory(unit_tests)
 add_subdirectory(src/benchmarks)
+
+if (ENABLE_FUZZING)
+  # TODO(daniel-j-h): fuzz against configurable ubsan,msan,asan libosrm builds
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize-coverage=edge,indirect-calls,8bit-counters -fsanitize=address")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fsanitize=address")
+  add_subdirectory(fuzz)
+endif ()
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@ -0,0 +1,25 @@
+# Fuzz testing using LLVM's libFuzzer.
+#
+# See:
+#  - http://llvm.org/docs/LibFuzzer.html
+#  - http://llvm.org/releases/3.8.0/docs/LibFuzzer.html
+#
+# TODO(daniel-j-h):
+#  - make more user friendly, at the moment we require you to build and install libFuzzer.a
+#  - pick up LLVM_ROOT
+#  - build libFuzzer on the fly
+# 
+# clang++ -std=c++11 -stdlib=libc++ -c -g -O2 ~/llvm/lib/Fuzzer/*.cpp -I~/llvm/lib/Fuzzer
+# ar ruv libFuzzer.a Fuzzer*.o
+
+if (ENABLE_FUZZING)
+  add_executable(driver driver.cc $<TARGET_OBJECTS:UTIL> $<TARGET_OBJECTS:SERVER>)
+  target_link_libraries(driver Fuzzer osrm)
+
+  add_custom_target(fuzz
+	  DEPENDS driver
+	  WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+	  COMMAND ${CMAKE_COMMAND} -E make_directory corpus
+	  COMMAND driver -jobs=4 -workers=4 -max_len=4096 corpus
+	  COMMENT "Fuzzing libosrm" VERBATIM)
+endif ()
--- a/fuzz/driver.cc
+++ b/fuzz/driver.cc
@ -0,0 +1,32 @@
+#include "server/api/parameters_parser.hpp"
+
+#include "engine/api/base_parameters.hpp"
+#include "engine/api/match_parameters.hpp"
+#include "engine/api/nearest_parameters.hpp"
+#include "engine/api/route_parameters.hpp"
+#include "engine/api/table_parameters.hpp"
+#include "engine/api/tile_parameters.hpp"
+#include "engine/api/trip_parameters.hpp"
+
+#include <iterator>
+#include <string>
+
+/*
+ * First pass at fuzzing the server, without any libosrm setup.
+ * Later we want keep state across fuzz testing invocations via:
+ *
+ * struct State { State() { setup_osrm(); } };
+ * static State state;
+ */
+
+extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, unsigned long size)
+{
+    std::string in(reinterpret_cast<const char *>(data), size);
+
+    auto first = begin(in);
+    const auto last = end(in);
+
+    (void)osrm::server::api::parseParameters<osrm::engine::api::RouteParameters>(first, last);
+
+    return 0; /* Always return zero, sanitizers hard-abort */
+}