Add fuzzing harness to swift-nio-http2. (#288)

Motivation: Fuzzing is great, we should have a good sensible place to centralise a harness. Modifications: - Add a fuzzing harness. Result: There's a common way to do fuzzing.
apple · May 27, 2021 · 1ef8bac · 1ef8bac
1 parent 000f5ee
commit 1ef8bac
Show file tree

Hide file tree

Showing 8 changed files with 268 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,5 @@
 .DS_Store
-/.build
+.build
 /Packages
 /*.xcodeproj
 Package.pins

diff --git a/FuzzTesting/FailCases/.empty b/FuzzTesting/FailCases/.empty
diff --git a/FuzzTesting/Package.swift b/FuzzTesting/Package.swift
@@ -0,0 +1,34 @@
+// swift-tools-version:5.3
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the SwiftNIO open source project
+//
+// Copyright (c) 2021 Apple Inc. and the SwiftNIO project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of SwiftNIO project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import PackageDescription
+
+let package = Package(
+    name: "FuzzTesting",
+    dependencies: [
+        .package(name: "swift-nio-http2", path: ".."),
+        .package(url: "https://github.com/apple/swift-nio", from: "2.29.0"),
+    ],
+    targets: [
+        .target(
+            name: "FuzzHTTP2",
+            dependencies: [
+                .product(name: "NIOHTTP2", package: "swift-nio-http2"),
+                .product(name: "NIOHTTP1", package: "swift-nio"),
+                .product(name: "NIO", package: "swift-nio"),
+            ]
+        ),
+    ]
+)
diff --git a/FuzzTesting/README.md b/FuzzTesting/README.md
@@ -0,0 +1,42 @@
+# FuzzTesting
+
+This subpackage build binaries to be use with Fuzz testing.
+
+NOTE: The Swift toolchain distributed with Xcode do not include the fuzzing
+support, so for macOS, one needs to install the swift.org toolchain and use that
+instead.
+
+To build on macOS:
+
+```
+xcrun \
+  --toolchain swift \
+  swift build -c debug -Xswiftc -sanitize=fuzzer,address -Xswiftc -parse-as-library
+```
+
+To build on linux:
+
+```
+swift build -c debug -Xswiftc -sanitize=fuzzer,address -Xswiftc -parse-as-library
+```
+
+Then the binaries will be found in `.build/debug`.
+
+Note: You can also use `-c release` to build/test in release instead as that
+could find different issues.
+
+In this directory you will also find a `do_build.sh` script.  By default it
+builds for both _debug_ and _release_. You can also pass `--run-regressions` to
+have it run the the build against the previous failcases to check for
+regressions.
+
+When issues are found:
+
+1. Make sure you add a file to `FailCases` subdirectory so regressions can
+   easily be watched for.
+
+2. Consider adding them to the unit tests as well. This can provide even
+   better regression testing.
+
+This infrastructure was originally developed for Swift Protobuf, and has been
+adapted for SwiftNIO HTTP/2.
diff --git a/FuzzTesting/Sources/FuzzHTTP2/main.swift b/FuzzTesting/Sources/FuzzHTTP2/main.swift
@@ -0,0 +1,58 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the SwiftNIO open source project
+//
+// Copyright (c) 2021 Apple Inc. and the SwiftNIO project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of SwiftNIO project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+// Sources/protoc-gen-swift/main.swift - Protoc plugin main
+//
+// Copyright (c) 2020 - 2021 Apple Inc. and the project authors
+// Licensed under Apache License v2.0 with Runtime Library Exception
+//
+// See LICENSE.txt for license information:
+// https://github.com/apple/swift-protobuf/blob/main/LICENSE.txt
+
+
+import Foundation
+
+import NIO
+import NIOHTTP1
+import NIOHTTP2
+
+fileprivate func fuzzInput(_ bytes: UnsafeRawBufferPointer) throws {
+    let channel = EmbeddedChannel()
+    defer {
+        _ = try? channel.finish()
+    }
+    _ = try channel.configureHTTP2Pipeline(
+        mode: .server,
+        initialLocalSettings: [HTTP2Setting(parameter: .maxConcurrentStreams, value: 1<<23)],
+        inboundStreamInitializer: nil
+    ).wait()
+    try channel.connect(to: SocketAddress(unixDomainSocketPath: "/foo")).wait()
+
+    let buffer = channel.allocator.buffer(bytes: bytes)
+    try channel.writeInbound(buffer)
+    channel.embeddedEventLoop.run()
+    channel.pipeline.fireChannelInactive()
+    channel.embeddedEventLoop.run()
+}
+
+@_cdecl("LLVMFuzzerTestOneInput")
+public func FuzzServer(_ start: UnsafeRawPointer, _ count: Int) -> CInt {
+  let bytes = UnsafeRawBufferPointer(start: start, count: count)
+  do {
+      let _ = try fuzzInput(bytes)
+  } catch {
+    // Errors parsing are to be expected since not all inputs will be well formed.
+  }
+
+  return 0
+}
diff --git a/FuzzTesting/do_build.sh b/FuzzTesting/do_build.sh
@@ -0,0 +1,123 @@
+#!/bin/bash
+##===----------------------------------------------------------------------===##
+##
+## This source file is part of the SwiftNIO open source project
+##
+## Copyright (c) 2021 Apple Inc. and the SwiftNIO project authors
+## Licensed under Apache License v2.0
+##
+## See LICENSE.txt for license information
+## See CONTRIBUTORS.txt for the list of SwiftNIO project authors
+##
+## SPDX-License-Identifier: Apache-2.0
+##
+##===----------------------------------------------------------------------===##
+## Copyright (c) 2014 - 2017 Apple Inc. and the project authors
+## Licensed under Apache License v2.0 with Runtime Library Exception
+##
+## See LICENSE.txt for license information:
+## https://github.com/apple/swift-protobuf/blob/main/LICENSE.txt
+
+# As the license header implies, this file was derived from swift-protobuf,
+# and edited for use with SwiftNIO HTTP/2.
+
+
+set -eu
+
+readonly FuzzTestingDir=$(dirname "$(echo $0 | sed -e "s,^\([^/]\),$(pwd)/\1,")")
+
+printUsage() {
+  NAME=$(basename "${0}")
+  cat << EOF
+usage: ${NAME} [OPTIONS]
+
+This script builds (and can run) the fuzz tests.
+
+OPTIONS:
+
+ General:
+
+   -h, --help
+         Show this message
+   --debug-only
+         Just build the 'debug' configuration.
+   --release-only
+         Just build the 'release' configuration.
+   --both
+         Build both the 'debug' and 'release' configurations. This is
+         the default.
+   --run-regressions, --run
+         After building, also run all the fuzz tests against the known fail
+         cases.
+
+EOF
+}
+
+FUZZ_TESTS=("FuzzHTTP2")
+CHECK_REGRESSIONS="no"
+# Default to both
+CMD_CONFIGS=("debug" "release")
+
+while [[ $# != 0 ]]; do
+  case "${1}" in
+    -h | --help )
+      printUsage
+      exit 0
+      ;;
+    --debug-only )
+      CMD_CONFIGS=("debug")
+      ;;
+    --release-only )
+      CMD_CONFIGS=("release")
+      ;;
+    --both )
+      CMD_CONFIGS=("debug" "release")
+      ;;
+    --run-regressions | --run )
+      CHECK_REGRESSIONS="yes"
+      ;;
+    -*)
+      echo "ERROR: Unknown option: ${1}" 1>&2
+      printUsage
+      exit 1
+      ;;
+    *)
+      echo "ERROR: Unknown argument: ${1}" 1>&2
+      printUsage
+      exit 1
+      ;;
+  esac
+  shift
+done
+
+cd "${FuzzTestingDir}"
+
+declare -a CMD_BASE
+if [ "$(uname)" == "Darwin" ]; then
+  CMD_BASE=(
+    xcrun
+      --toolchain swift
+      swift build -Xswiftc -sanitize=fuzzer,address -Xswiftc -parse-as-library
+  )
+else
+  CMD_BASE=(
+    swift build -Xswiftc -sanitize=fuzzer,address -Xswiftc -parse-as-library
+  )
+fi
+
+for CMD_CONFIG in "${CMD_CONFIGS[@]}"; do
+  echo "------------------------------------------------------------------------------------------"
+  echo "Building: ${CMD_CONFIG}"
+  echo "${CMD_BASE[@]}" -c "${CMD_CONFIG}"
+  "${CMD_BASE[@]}" -c "${CMD_CONFIG}"
+
+  if [[ "${CHECK_REGRESSIONS}" == "yes" ]] ; then
+    for FUZZ_TEST in "${FUZZ_TESTS[@]}"; do
+      # Don't worry about running the test cases against the right binaries, they should
+      # all be able to handle any input.
+      echo "------------------------------------------------------------------------------------------"
+      echo "Regressing: ${FUZZ_TEST}"
+      ".build/${CMD_CONFIG}/${FUZZ_TEST}" FailCases/*
+    done
+  fi
+done
diff --git a/NOTICE.txt b/NOTICE.txt
@@ -50,3 +50,12 @@ The unit tests make use of 'hpack-test-case' by jxck, summerwind, kazu-yamamoto,
     * https://opensource.org/licenses/MIT
   * HOMEPAGE:
     * https://github.com/http2jp/hpack-test-case
+
+---
+
+This product contains a fuzz testing harness derived from Swift Protobuf.
+
+  * LICENSE (Apache License 2.0):
+    * https://github.com/apple/swift-protobuf/blob/main/LICENSE.txt
+  * HOMEPAGE:
+    * https://github.com/apple/swift-protobuf
diff --git a/scripts/soundness.sh b/scripts/soundness.sh
@@ -18,7 +18,7 @@ here="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 function replace_acceptable_years() {
     # this needs to replace all acceptable forms with 'YEARS'
-    sed -e 's/2017-20[12][890]/YEARS/g' -e 's/2019/YEARS/g' -e 's/2020/YEARS/g'
+    sed -e 's/2017-20[12][890]/YEARS/g' -e 's/2019/YEARS/g' -e 's/2020/YEARS/g' -e 's/2021/YEARS/g'
 }
 
 printf "=> Checking linux tests... "