fuzz: libprotobuf-mutator integration.

bazel/envoy_build_system.bzl

@@ -215,10 +215,14 @@ def envoy_cc_fuzz_test(name, corpus, deps = [], **kwargs):
         linkopts = envoy_test_linkopts(),
         linkstatic = 1,
         args = [PACKAGE_NAME + "/" + corpus],
-        deps = [
-            ":" + test_lib_name,
-            "//test/fuzz:main",
-        ],
+        # No fuzzing on OS X.
+        deps = select({
+            "@bazel_tools//tools/osx:darwin": ["//test:dummy_main"],
+            "//conditions:default": [
+                ":" + test_lib_name,
+                "//test/fuzz:main",
+            ],
+        }),
     )
     native.cc_binary(
         name = name + "_driverless",

bazel/external/libprotobuf_mutator.BUILD

@@ -0,0 +1,9 @@
+cc_library(
+    name = "libprotobuf_mutator",
+    srcs = glob(["src/**/*.cc", "src/**/*.h", "port/protobuf.h"], exclude=["**/*_test.cc"]),
+    hdrs = ["src/libfuzzer/libfuzzer_macro.h"],
+    includes = ["."],
+    include_prefix = "libprotobuf_mutator",
+    deps = ["//external:protobuf"],
+    visibility = ["//visibility:public"],
+)

bazel/repositories.bzl

@@ -231,6 +231,7 @@ def envoy_dependencies(path = "@envoy_deps//", skip_targets = []):
     _com_github_fmtlib_fmt()
     _com_github_gabime_spdlog()
     _com_github_gcovr_gcovr()
+    _com_github_google_libprotobuf_mutator()
     _io_opentracing_cpp()
     _com_lightstep_tracer_cpp()
     _com_github_grpc_grpc()
@@ -314,6 +315,16 @@ def _com_github_gcovr_gcovr():
         actual = "@com_github_gcovr_gcovr//:gcovr",
     )
 
+def _com_github_google_libprotobuf_mutator():
+    _repository_impl(
+        name = "com_github_google_libprotobuf_mutator",
+        build_file = "@envoy//bazel/external:libprotobuf_mutator.BUILD",
+    )
+    native.bind(
+        name = "libprotobuf_mutator",
+        actual = "@com_github_google_libprotobuf_mutator//:libprotobuf_mutator",
+    )
+
 def _io_opentracing_cpp():
     _repository_impl("io_opentracing_cpp")
     native.bind(

bazel/repository_locations.bzl

@@ -34,6 +34,10 @@ REPOSITORY_LOCATIONS = dict(
         commit = "c0d77201039c7b119b18bc7fb991564c602dd75d",
         remote = "https://github.com/gcovr/gcovr",
     ),
+    com_github_google_libprotobuf_mutator = dict(
+        commit = "c3d2faf04a1070b0b852b0efdef81e1a81ba925e",
+        remote = "https://github.com/google/libprotobuf-mutator",
+    ),
     com_github_grpc_grpc = dict(
         commit = "66b9770a8ad326c1ee0dbedc5a8f32a52a604567", # v1.10.1
         remote = "https://github.com/grpc/grpc.git",

source/common/protobuf/utility.cc

@@ -128,6 +128,9 @@ bool ValueUtil::equal(const ProtobufWkt::Value& v1, const ProtobufWkt::Value& v2
   }
 
   switch (kind) {
+  case ProtobufWkt::Value::KIND_NOT_SET:
+    return v2.kind_case() == ProtobufWkt::Value::KIND_NOT_SET;
+
   case ProtobufWkt::Value::kNullValue:
     return true;
 

test/BUILD

@@ -8,6 +8,12 @@ load(
 
 envoy_package()
 
+# TODO(htuch): remove when we have a solution for https://github.com/bazelbuild/bazel/issues/3510
+envoy_cc_test_library(
+    name = "dummy_main",
+    srcs = ["dummy_main.cc"],
+)
+
 envoy_cc_test_library(
     name = "main",
     srcs = [

test/common/common/base64_fuzz_test.cc

@@ -5,7 +5,7 @@
 namespace Envoy {
 namespace Fuzz {
 
-void Runner::execute(const uint8_t* buf, size_t len) {
+DEFINE_FUZZER(const uint8_t* buf, size_t len) {
   Envoy::Base64::encode(reinterpret_cast<const char*>(buf), len);
 }
 

test/common/protobuf/BUILD

@@ -2,6 +2,7 @@ licenses(["notice"])  # Apache 2
 
 load(
     "//bazel:envoy_build_system.bzl",
+    "envoy_cc_fuzz_test",
     "envoy_cc_test",
     "envoy_package",
 )
@@ -18,3 +19,10 @@ envoy_cc_test(
         "@envoy_api//envoy/config/bootstrap/v2:bootstrap_cc",
     ],
 )
+
+envoy_cc_fuzz_test(
+    name = "value_util_fuzz_test",
+    srcs = ["value_util_fuzz_test.cc"],
+    corpus = "value_util_corpus",
+    deps = ["//source/common/protobuf:utility_lib"],
+)

test/common/protobuf/value_util_corpus/string_value

@@ -0,0 +1 @@
+string_value: "foo"

test/common/protobuf/value_util_corpus/struct_value

@@ -0,0 +1,58 @@
+struct_value {
+  fields {
+    key: "null"
+    value {
+      null_value: NULL_VALUE
+    }
+  }
+  fields {
+    key: "number"
+    value {
+      number_value: 3.14159265358979323
+    }
+  }
+  fields {
+    key: "string"
+    value {
+      string_value: "string"
+    }
+  }
+  fields {
+    key: "bool"
+    value {
+      bool_value: true
+    }
+  }
+  fields {
+    key: "list"
+    value {
+      list_value {
+        values {
+          string_value: "some"
+        }
+        values {
+          string_value: "thing"
+        }
+      }
+    }
+  }
+  fields {
+    key: "struct"
+    value {
+      struct_value {
+        fields {
+          key: "foo"
+          value {
+            number_value: 42
+          }
+        }
+        fields {
+          key: "bar"
+          value {
+            number_value: 37
+          }
+        }
+      }
+    }
+  }
+}

test/common/protobuf/value_util_fuzz_test.cc

@@ -0,0 +1,11 @@
+#include "common/protobuf/utility.h"
+
+#include "test/fuzz/fuzz_runner.h"
+
+namespace Envoy {
+namespace Fuzz {
+
+DEFINE_PROTO_FUZZER(const ProtobufWkt::Value& input) { ValueUtil::equal(input, input); }
+
+} // namespace Fuzz
+} // namespace Envoy

test/dummy_main.cc

@@ -0,0 +1,6 @@
+// Dummy main implementation for nooping tests.
+// TODO(htuch): remove when we have a solution for
+// https://github.com/bazelbuild/bazel/issues/3510
+
+// NOLINT(namespace-envoy)
+int main(int /*argc*/, char** /*argv*/) { return 0; }

test/fuzz/BUILD

@@ -25,6 +25,7 @@ envoy_cc_test_library(
     name = "fuzz_runner_lib",
     srcs = ["fuzz_runner.cc"],
     hdrs = ["fuzz_runner.h"],
+    external_deps = ["libprotobuf_mutator"],
     deps = [
         "//source/common/common:logger_lib",
         "//source/common/common:thread_lib",

test/fuzz/README.md

@@ -34,10 +34,12 @@ exist, populated with files that will act as the corpus.
 Your fuzz test will ultimately be driven by a simple interface:
 
 ```c++
-void Envoy::Fuzz::Runner::execute(const uint8_t* data, size_t size);
+DEFINE_FUZZER(const uint8_t* data, size_t size) {
+  // Your test code goes here
+}
 ```
 
-It is up to your test `execute()` implementation to map this buffer of data to
+It is up to your test `DEFINE_FUZZER` implementation to map this buffer of data to
 meaningful semantics, e.g. a stream of network bytes or a protobuf binary input.
 
 The fuzz test will be executed in two environments:
@@ -53,7 +55,7 @@ The fuzz test will be executed in two environments:
 
 ## Defining a new fuzz test
 
-1. Write a fuzz test module implementing the `Envoy::Fuzz::Runner::execute`
+1. Write a fuzz test module implementing the `DEFINE_FUZZER`
    interface. E.g.
    [`test/common/common/base64_fuzz_test.cc`](../../test/common/common/base64_fuzz_test.cc).
 
@@ -66,3 +68,17 @@ The fuzz test will be executed in two environments:
 
 4. Run the `envoy_cc_fuzz_test` target. E.g. `bazel test
    //test/common/common:base64_fuzz_test`.
+
+## Protobuf fuzz tests
+
+We also have integration with
+[libprotobuf-mutator](https://github.com/google/libprotobuf-mutator), allowing
+tests built on a protobuf input to work directly with a typed protobuf object,
+rather than a raw buffer. The interface to this is as described at
+https://github.com/google/libprotobuf-mutator#integrating-with-libfuzzer:
+
+```c++
+DEFINE_PROTO_FUZZER(const MyMessageType& input) {
+  // Your test code goes here
+}
+```

test/fuzz/fuzz_runner.cc

@@ -26,8 +26,3 @@ extern "C" int LLVMFuzzerInitialize(int* /*argc*/, char*** argv) {
   Envoy::Fuzz::Runner::setupEnvironment(1, *argv);
   return 0;
 }
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* buf, size_t len) {
-  Envoy::Fuzz::Runner::execute(buf, len);
-  return 0;
-}

test/fuzz/fuzz_runner.h

@@ -3,6 +3,10 @@
 #include <cstdint>
 #include <cwchar>
 
+// Bring in DEFINE_PROTO_FUZZER definition as per
+// https://github.com/google/libprotobuf-mutator#integrating-with-libfuzzer.
+#include "libprotobuf_mutator/src/libfuzzer/libfuzzer_macro.h"
+
 namespace Envoy {
 namespace Fuzz {
 
@@ -15,13 +19,6 @@ class Runner {
    * @param argv array of command-line args.
    */
   static void setupEnvironment(int argc, char** argv);
-
-  /**
-   * Execute a single fuzz test. This should be implemented by the
-   * envoy_cc_fuzz_test target. See
-   * https://llvm.org/docs/LibFuzzer.html#fuzz-target.
-   */
-  static void execute(const uint8_t* data, size_t size);
 };
 
 } // namespace Fuzz
@@ -31,6 +28,24 @@ class Runner {
 // https://llvm.org/docs/LibFuzzer.html#startup-initialization.
 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv);
 
-// Entry point from fuzzing library driver, see
-// https://llvm.org/docs/LibFuzzer.html#fuzz-target.
+// See https://llvm.org/docs/LibFuzzer.html#fuzz-target.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
+
+#define DEFINE_TEST_ONE_INPUT_IMPL                                                                 \
+  extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {                        \
+    EnvoyTestOneInput(data, size);                                                                 \
+    return 0;                                                                                      \
+  }
+
+/**
+ * Define a fuzz test. This should be used to define a fuzz_cc_fuzz_test_target with:
+ *
+ * DEFINE_FUZZER(const uint8_t* buf, size_t len) {
+ *   // Do some test stuff with buf/len.
+ *   return 0;
+ * }
+ */
+#define DEFINE_FUZZER                                                                              \
+  static void EnvoyTestOneInput(const uint8_t* buf, size_t len);                                   \
+  DEFINE_TEST_ONE_INPUT_IMPL                                                                       \
+  static void EnvoyTestOneInput