Merge pull request #53 from fitzgen/update-arbitrary

Update arbitrary

.travis.yml

@@ -10,10 +10,4 @@ env:
   - ARCH=x86_64
 notifications:
   email: false
-script:
-  - cd example
-  - cargo rustc --release -- -Cpasses='sancov' -Cllvm-args=-sanitizer-coverage-level=4 -Cllvm-args=-sanitizer-coverage-trace-compares -Cllvm-args=-sanitizer-coverage-inline-8bit-counters -Cllvm-args=-sanitizer-coverage-stack-depth -Cllvm-args=-sanitizer-coverage-trace-geps -Cllvm-args=-sanitizer-coverage-prune-blocks=0 -Zsanitizer=address
-  - (! ./target/release/example -runs=100000)
-  - cd ../example_arbitrary
-  - cargo rustc --release -- -Cpasses='sancov' -Cllvm-args=-sanitizer-coverage-level=4 -Cllvm-args=-sanitizer-coverage-trace-compares -Cllvm-args=-sanitizer-coverage-inline-8bit-counters -Cllvm-args=-sanitizer-coverage-stack-depth -Cllvm-args=-sanitizer-coverage-trace-geps -Cllvm-args=-sanitizer-coverage-prune-blocks=0 -Zsanitizer=address
-  - (! ./target/release/example -runs=10000000)
+script: ./ci/script.sh

Cargo.toml

@@ -13,7 +13,11 @@ edition = "2018"
 members = ["."]
 
 [dependencies]
-arbitrary = "0.2"
+# arbitrary = "0.3"
+arbitrary = { git = "https://github.com/rust-fuzz/arbitrary.git", rev = "8fa099d" }
 
 [build-dependencies]
 cc = "1.0"
+
+[features]
+arbitrary-derive = ["arbitrary/derive"]

ci/script.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+set -eux
+cd $(dirname $0)/..
+
+export CARGO_TARGET_DIR=$(pwd)/target
+
+pushd ./example
+cargo rustc \
+      --release \
+      -- \
+      -Cpasses='sancov' \
+      -Cllvm-args=-sanitizer-coverage-level=4 \
+      -Cllvm-args=-sanitizer-coverage-trace-compares \
+      -Cllvm-args=-sanitizer-coverage-inline-8bit-counters \
+      -Cllvm-args=-sanitizer-coverage-stack-depth \
+      -Cllvm-args=-sanitizer-coverage-trace-geps \
+      -Cllvm-args=-sanitizer-coverage-prune-blocks=0 \
+      -Zsanitizer=address
+(! $CARGO_TARGET_DIR/release/example -runs=100000)
+popd
+
+pushd ./example_arbitrary
+cargo rustc \
+      --release \
+      -- \
+      -Cpasses='sancov' \
+      -Cllvm-args=-sanitizer-coverage-level=4 \
+      -Cllvm-args=-sanitizer-coverage-trace-compares \
+      -Cllvm-args=-sanitizer-coverage-inline-8bit-counters \
+      -Cllvm-args=-sanitizer-coverage-stack-depth \
+      -Cllvm-args=-sanitizer-coverage-trace-geps \
+      -Cllvm-args=-sanitizer-coverage-prune-blocks=0 \
+      -Zsanitizer=address
+(! $CARGO_TARGET_DIR/release/example_arbitrary -runs=10000000)
+RUST_LIBFUZZER_DEBUG_PATH=$(pwd)/debug_output \
+    $CARGO_TARGET_DIR/release/example_arbitrary \
+    $(ls ./crash-* | head -n 1)
+cat $(pwd)/debug_output
+grep -q Rgb $(pwd)/debug_output
+popd

example/.gitignore

@@ -0,0 +1 @@
+crash-*

example_arbitrary/.gitignore

@@ -0,0 +1,2 @@
+crash-*
+debug_output

example_arbitrary/Cargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "example"
+name = "example_arbitrary"
 version = "0.1.0"
 authors = ["Simonas Kazlauskas <git@kazlauskas.me>"]
 edition = "2018"
@@ -8,5 +8,4 @@ edition = "2018"
 members = ["."]
 
 [dependencies]
-libfuzzer-sys = { path = ".." }
-arbitrary = "0.2"
+libfuzzer-sys = { path = "..", features = ["arbitrary-derive"] }

example_arbitrary/src/main.rs

@@ -1,9 +1,18 @@
 #![no_main]
 
-use libfuzzer_sys::fuzz_target;
+use libfuzzer_sys::{arbitrary, fuzz_target};
 
-fuzz_target!(|data: u16| {
-    if data == 0xba7 { // ba[nana]
-        panic!("success!");
+#[derive(arbitrary::Arbitrary, Debug)]
+struct Rgb {
+    r: u8,
+    g: u8,
+    b: u8,
+}
+
+fuzz_target!(|rgb: Rgb| {
+    if rgb.r < rgb.g {
+        if rgb.g < rgb.b {
+            panic!("success: r < g < b!");
+        }
     }
 });

src/lib.rs

@@ -118,6 +118,18 @@ macro_rules! fuzz_target {
     (|$bytes:ident| $body:block) => {
         #[no_mangle]
         pub extern "C" fn rust_fuzzer_test_input($bytes: &[u8]) {
+            // When `RUST_LIBFUZZER_DEBUG_PATH` is set, write the debug
+            // formatting of the input to that file. This is only intended for
+            // `cargo fuzz`'s use!
+            if let Ok(path) = std::env::var("RUST_LIBFUZZER_DEBUG_PATH") {
+                use std::io::Write;
+                let mut file = std::fs::File::create(path)
+                    .expect("failed to create `RUST_LIBFUZZER_DEBUG_PATH` file");
+                writeln!(&mut file, "{:?}", $bytes)
+                    .expect("failed to write to `RUST_LIBFUZZER_DEBUG_PATH` file");
+                return;
+            }
+
             $body
         }
     };
@@ -129,14 +141,27 @@ macro_rules! fuzz_target {
     (|$data:ident: $dty: ty| $body:block) => {
         #[no_mangle]
         pub extern "C" fn rust_fuzzer_test_input(bytes: &[u8]) {
-            use libfuzzer_sys::arbitrary::{Arbitrary, RingBuffer};
+            use libfuzzer_sys::arbitrary::{Arbitrary, Unstructured};
 
-            let mut buf = match RingBuffer::new(bytes, bytes.len()) {
-                Ok(b) => b,
-                Err(_) => return,
-            };
+            let mut u = Unstructured::new(bytes);
+            let data = <$dty as Arbitrary>::arbitrary_take_rest(u);
+
+            // When `RUST_LIBFUZZER_DEBUG_PATH` is set, write the debug
+            // formatting of the input to that file. This is only intended for
+            // `cargo fuzz`'s use!
+            if let Ok(path) = std::env::var("RUST_LIBFUZZER_DEBUG_PATH") {
+                use std::io::Write;
+                let mut file = std::fs::File::create(path)
+                    .expect("failed to create `RUST_LIBFUZZER_DEBUG_PATH` file");
+                (match data {
+                    Ok(data) => writeln!(&mut file, "{:#?}", data),
+                    Err(err) => writeln!(&mut file, "Arbitrary Error: {}", err),
+                })
+                .expect("failed to write to `RUST_LIBFUZZER_DEBUG_PATH` file");
+                return;
+            }
 
-            let $data: $dty = match Arbitrary::arbitrary(&mut buf) {
+            let $data = match data {
                 Ok(d) => d,
                 Err(_) => return,
             };