fuzz: fuzzing decimal

[overvenus]

What have you changed?

Fuzzing coprocessor::codec::mysql::decimal::Decimal.

Refer to a related PR or issue link

#3145

[BusyJay]

Can the test still pass when the fix from #3145 is removed?

[overvenus]

No, it can not pass even with the fix. Another out of bound access:

INFO: Seed: 1278106962
INFO: Loaded 1 modules   (4251489 guards): 4251489 [0x5629b8788078, 0x5629b97bfdfc), 
INFO:        0 files found in /home/pingcap/stn/tikv-backup/fuzz/corpus/coprocessor_codec_mysql_decimal
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
thread '<unnamed>' panicked at 'index out of bounds: the len is 9 but the index is 9', src/coprocessor/codec/mysql/decimal.rs:1232:17
stack backtrace:
   0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
             at libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1: std::sys_common::backtrace::print
             at libstd/sys_common/backtrace.rs:71
             at libstd/sys_common/backtrace.rs:59
   2: std::panicking::default_hook::{{closure}}
             at libstd/panicking.rs:207
   3: std::panicking::default_hook
             at libstd/panicking.rs:223
   4: std::panicking::rust_panic_with_hook
             at libstd/panicking.rs:402
   5: std::panicking::begin_panic_fmt
             at libstd/panicking.rs:349
   6: rust_begin_unwind
             at libstd/panicking.rs:325
   7: core::panicking::panic_fmt
             at libcore/panicking.rs:72
   8: core::panicking::panic_bounds_check
             at libcore/panicking.rs:58
   9: tikv::coprocessor::codec::mysql::decimal::Decimal::handle_incr
             at src/coprocessor/codec/mysql/decimal.rs:1232
  10: tikv::coprocessor::codec::mysql::decimal::Decimal::round_with_word_buf_len
             at src/coprocessor/codec/mysql/decimal.rs:1154
  11: coprocessor_codec_mysql_decimal::fuzz
             at fuzz/fuzz_targets/coprocessor/codec/mysql/decimal.rs:38
  12: rust_fuzzer_test_input
             at fuzz/fuzz_targets/coprocessor/codec/mysql/decimal.rs:78
  13: libfuzzer_sys::test_input_wrap::{{closure}}
             at /home/pingcap/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4594b1f/src/lib.rs:11
  14: std::panicking::try::do_call
             at /checkout/src/libstd/panicking.rs:306
  15: <unknown>
             at libpanic_abort/lib.rs:40
==63844== ERROR: libFuzzer: deadly signal
    #0 0x5629b55d1873 in __sanitizer_print_stack_trace /checkout/src/libcompiler_builtins/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x5629b7e81e6f in fuzzer::Fuzzer::CrashCallback() /home/pingcap/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4594b1f/libfuzzer/FuzzerLoop.cpp:233
    #2 0x5629b7e81d2f in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/pingcap/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4594b1f/libfuzzer/FuzzerLoop.cpp:206
    #3 0x5629b7e7ddc8 in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/pingcap/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4594b1f/libfuzzer/FuzzerUtilPosix.cpp:36
    #4 0x7fb615da95df  (/lib64/libpthread.so.0+0xf5df)
    #5 0x7fb6157f61f6 in __GI_raise /usr/src/debug/glibc-2.17-c758a686/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56
    #6 0x7fb6157f78e7 in __GI_abort /usr/src/debug/glibc-2.17-c758a686/stdlib/abort.c:90
    #7 0x5629b7eb4258 in panic_abort::__rust_start_panic::abort::h887b3ed357ab575f (/home/pingcap/stn/tikv-backup/target/x86_64-unknown-linux-gnu/debug/coprocessor_codec_mysql_decimal+0x2a8f258)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0xa,
\x0a
artifact_prefix='/home/pingcap/stn/tikv-backup/fuzz/artifacts/coprocessor_codec_mysql_decimal/'; Test unit written to /home/pingcap/stn/tikv-backup/fuzz/artifacts/coprocessor_codec_mysql_decimal/crash-adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
Base64: Cg==

[BusyJay]

/cc @AndreMouche PTAL

[BusyJay]

Why does CI pass?

[overvenus]

Because we don't run fuzzing tests in CircleCI.

[overvenus]

A friendly ping.

[Hoverbear]

Can you please add the build artifacts of this and the other fuzz targets to the .gitignore?

[overvenus]

Build artifacts has been added to .gitignore already. @Hoverbear

https://github.com/pingcap/tikv/blob/9889895d9198e5fbd90d8a43fa3b41ae3f8d637b/.gitignore#L28-L30

[AndreMouche]

Here we should call round instead of round_with_word_buf_len, or make sure the word_buf is less or equal than 9. Maybe we could make the function round_with_word_buf_len private in another PR.

[overvenus]

Ok, I will skip it.

[Hoverbear]

Have you encountered this, @overvenus ? I wanted to test it.

hoverbear@nomad:tikv/fuzz ‹overvenus-fuzz/decimal*›$ cargo fuzz run coprocessor/codec/mysql/decimal.rs
error: could not decode the manifest file at "/home/hoverbear/git/tikv/Cargo.toml"  caused by: redefinition of table `package` for key `package` at line 21

[overvenus]

@Hoverbear Looks like you are in a wrong path. I can run the test in the project's root path.

$ pwd
/home/user/tikv/fuzz
$ cargo fuzz run coprocessor_codec_mysql_decimal
error: could not decode the manifest file at "/home/user/tikv/Cargo.toml"  caused by: redefinition of table `package` for key `package` at line 21%
$ cd ..
$ cargo fuzz run coprocessor_codec_mysql_decimal
       Fresh cfg-if v0.1.3
       Fresh winapi-build v0.1.1
       ...

[overvenus]

/rebuild