bitcoin-bitcoin-core/src/test/fuzz/fuzz.cpp

// Copyright (c) 2009-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#include <test/fuzz/fuzz.h>

#include <fs.h>
#include <netaddress.h>
#include <netbase.h>
#include <test/util/setup_common.h>
#include <util/check.h>
#include <util/sock.h>

#include <cstdint>
#include <exception>
#include <fstream>
#include <functional>
#include <map>
#include <memory>
#include <string>
#include <tuple>
#include <unistd.h>
#include <vector>

const std::function<void(const std::string&)> G_TEST_LOG_FUN{};

/**
 * A copy of the command line arguments that start with `--`.
 * First `LLVMFuzzerInitialize()` is called, which saves the arguments to `g_args`.
 * Later, depending on the fuzz test, `G_TEST_COMMAND_LINE_ARGUMENTS()` may be
 * called by `BasicTestingSetup` constructor to fetch those arguments and store
 * them in `BasicTestingSetup::m_node::args`.
 */
static std::vector<const char*> g_args;

static void SetArgs(int argc, char** argv) {
    for (int i = 1; i < argc; ++i) {
        // Only take into account arguments that start with `--`. The others are for the fuzz engine:
        // `fuzz -runs=1 fuzz_seed_corpus/address_deserialize_v2 --checkaddrman=5`
        if (strlen(argv[i]) > 2 && argv[i][0] == '-' && argv[i][1] == '-') {
            g_args.push_back(argv[i]);
        }
    }
}

const std::function<std::vector<const char*>()> G_TEST_COMMAND_LINE_ARGUMENTS = []() {
    return g_args;
};

std::map<std::string_view, std::tuple<TypeTestOneInput, TypeInitialize, TypeHidden>>& FuzzTargets()
{
    static std::map<std::string_view, std::tuple<TypeTestOneInput, TypeInitialize, TypeHidden>> g_fuzz_targets;
    return g_fuzz_targets;
}

void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, TypeInitialize init, TypeHidden hidden)
{
    const auto it_ins = FuzzTargets().try_emplace(name, std::move(target), std::move(init), hidden);
    Assert(it_ins.second);
}

static TypeTestOneInput* g_test_one_input{nullptr};

void initialize()
{
    // Terminate immediately if a fuzzing harness ever tries to create a TCP socket.
    CreateSock = [](const CService&) -> std::unique_ptr<Sock> { std::terminate(); };

    // Terminate immediately if a fuzzing harness ever tries to perform a DNS lookup.
    g_dns_lookup = [](const std::string& name, bool allow_lookup) {
        if (allow_lookup) {
            std::terminate();
        }
        return WrappedGetAddrInfo(name, false);
    };

    bool should_abort{false};
    if (std::getenv("PRINT_ALL_FUZZ_TARGETS_AND_ABORT")) {
        for (const auto& t : FuzzTargets()) {
            if (std::get<2>(t.second)) continue;
            std::cout << t.first << std::endl;
        }
        should_abort = true;
    }
    if (const char* out_path = std::getenv("WRITE_ALL_FUZZ_TARGETS_AND_ABORT")) {
        std::cout << "Writing all fuzz target names to '" << out_path << "'." << std::endl;
        std::ofstream out_stream{out_path, std::ios::binary};
        for (const auto& t : FuzzTargets()) {
            if (std::get<2>(t.second)) continue;
            out_stream << t.first << std::endl;
        }
        should_abort = true;
    }
    Assert(!should_abort);
    std::string_view fuzz_target{Assert(std::getenv("FUZZ"))};
    const auto it = FuzzTargets().find(fuzz_target);
    Assert(it != FuzzTargets().end());
    Assert(!g_test_one_input);
    g_test_one_input = &std::get<0>(it->second);
    std::get<1>(it->second)();
}

#if defined(PROVIDE_FUZZ_MAIN_FUNCTION)
static bool read_stdin(std::vector<uint8_t>& data)
{
    uint8_t buffer[1024];
    ssize_t length = 0;
    while ((length = read(STDIN_FILENO, buffer, 1024)) > 0) {
        data.insert(data.end(), buffer, buffer + length);
    }
    return length == 0;
}
#endif

// This function is used by libFuzzer
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
    static const auto& test_one_input = *Assert(g_test_one_input);
    test_one_input({data, size});
    return 0;
}

// This function is used by libFuzzer
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)
{
    SetArgs(*argc, *argv);
    initialize();
    return 0;
}

#if defined(PROVIDE_FUZZ_MAIN_FUNCTION)
int main(int argc, char** argv)
{
    initialize();
    static const auto& test_one_input = *Assert(g_test_one_input);
#ifdef __AFL_INIT
    // Enable AFL deferred forkserver mode. Requires compilation using
    // afl-clang-fast++. See fuzzing.md for details.
    __AFL_INIT();
#endif

#ifdef __AFL_LOOP
    // Enable AFL persistent mode. Requires compilation using afl-clang-fast++.
    // See fuzzing.md for details.
    while (__AFL_LOOP(1000)) {
        std::vector<uint8_t> buffer;
        if (!read_stdin(buffer)) {
            continue;
        }
        test_one_input(buffer);
    }
#else
    std::vector<uint8_t> buffer;
    if (!read_stdin(buffer)) {
        return 0;
    }
    test_one_input(buffer);
#endif
    return 0;
}
#endif
scripted-diff: Rename MakeFuzzingContext to MakeNoLogFileContext -BEGIN VERIFY SCRIPT- # Rename sed -i -e 's/MakeFuzzingContext/MakeNoLogFileContext/g' $(git grep -l MakeFuzzingContext) # Bump the copyright of touched files in this scripted diff to avoid touching them again later ./contrib/devtools/copyright_header.py update ./src/test/fuzz/ -END VERIFY SCRIPT- 2021-01-25 12:23:45 +01:00			`// Copyright (c) 2009-2021 The Bitcoin Core developers`
test: Build fuzz targets into seperate executables 2019-01-25 18:35:36 -05:00			`// Distributed under the MIT software license, see the accompanying`
			`// file COPYING or http://www.opensource.org/licenses/mit-license.php.`

			`#include <test/fuzz/fuzz.h>`

refactor: replace boost::filesystem with std::filesystem Warning: Replacing fs::system_complete calls with fs::absolute calls in this commit may cause minor changes in behaviour because fs::absolute no longer strips trailing slashes; however these changes are believed to be safe. Co-authored-by: Russell Yanofsky <russ@yanofsky.org> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> 2020-06-11 08:58:46 +02:00			`#include <fs.h>`
fuzz: Terminate immediately if a fuzzing harness ever tries to create a TCP socket (belt and suspenders) 2021-05-20 19:01:46 +00:00			`#include <netaddress.h>`
			`#include <netbase.h>`
test: Show debug log on unit test failure 2019-09-27 11:53:34 -04:00			`#include <test/util/setup_common.h>`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`#include <util/check.h>`
fuzz: Terminate immediately if a fuzzing harness ever tries to create a TCP socket (belt and suspenders) 2021-05-20 19:01:46 +00:00			`#include <util/sock.h>`
test: Show debug log on unit test failure 2019-09-27 11:53:34 -04:00
tests: Skip unnecessary fuzzer initialisation. Hold ECCVerifyHandle only when needed. 2019-10-23 21:46:53 +00:00			`#include <cstdint>`
fuzz: Terminate immediately if a fuzzing harness ever tries to create a TCP socket (belt and suspenders) 2021-05-20 19:01:46 +00:00			`#include <exception>`
refactor: replace boost::filesystem with std::filesystem Warning: Replacing fs::system_complete calls with fs::absolute calls in this commit may cause minor changes in behaviour because fs::absolute no longer strips trailing slashes; however these changes are believed to be safe. Co-authored-by: Russell Yanofsky <russ@yanofsky.org> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> 2020-06-11 08:58:46 +02:00			`#include <fstream>`
test: parse the command line arguments in unit tests Retrieve the command line arguments from boost and pass them to `BasicTestingSetup` so that we gain extra flexibility of passing any config options on the test command line, e.g.: ``` test_bitcoin -- -printtoconsole=1 -checkaddrman=5 ``` 2021-10-08 18:11:40 +02:00			`#include <functional>`
refactor: replace boost::filesystem with std::filesystem Warning: Replacing fs::system_complete calls with fs::absolute calls in this commit may cause minor changes in behaviour because fs::absolute no longer strips trailing slashes; however these changes are believed to be safe. Co-authored-by: Russell Yanofsky <russ@yanofsky.org> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> 2020-06-11 08:58:46 +02:00			`#include <map>`
fuzz: Terminate immediately if a fuzzing harness ever tries to create a TCP socket (belt and suspenders) 2021-05-20 19:01:46 +00:00			`#include <memory>`
fuzz: Terminate immediately if a fuzzing harness ever tries to perform a DNS lookup (belts and suspenders) 2021-05-21 19:43:15 +00:00			`#include <string>`
refactor: replace boost::filesystem with std::filesystem Warning: Replacing fs::system_complete calls with fs::absolute calls in this commit may cause minor changes in behaviour because fs::absolute no longer strips trailing slashes; however these changes are believed to be safe. Co-authored-by: Russell Yanofsky <russ@yanofsky.org> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> 2020-06-11 08:58:46 +02:00			`#include <tuple>`
test: Build fuzz targets into seperate executables 2019-01-25 18:35:36 -05:00			`#include <unistd.h>`
tests: Skip unnecessary fuzzer initialisation. Hold ECCVerifyHandle only when needed. 2019-10-23 21:46:53 +00:00			`#include <vector>`
test: Build fuzz targets into seperate executables 2019-01-25 18:35:36 -05:00
test: Show debug log on unit test failure 2019-09-27 11:53:34 -04:00			`const std::function<void(const std::string&)> G_TEST_LOG_FUN{};`

fuzz: parse the command line arguments in fuzz tests Retrieve the command line arguments from the fuzzer and save them for later retrieval by `BasicTestingSetup` so that we gain extra flexibility of passing any config options on the test command line, e.g.: ``` FUZZ=addrman ./src/test/fuzz/fuzz --checkaddrman=5 ``` A fuzz test should call `MakeNoLogFileContext<>()` in its initialize function in order to invoke the constructor of `BasicTestingSetup`, which sets `gArgs`. 2021-10-26 17:26:16 +02:00			`/**`
			* A copy of the command line arguments that start with `--`.
			* First `LLVMFuzzerInitialize()` is called, which saves the arguments to `g_args`.
			* Later, depending on the fuzz test, `G_TEST_COMMAND_LINE_ARGUMENTS()` may be
			* called by `BasicTestingSetup` constructor to fetch those arguments and store
			* them in `BasicTestingSetup::m_node::args`.
			`*/`
			`static std::vector<const char*> g_args;`

			`static void SetArgs(int argc, char** argv) {`
			`for (int i = 1; i < argc; ++i) {`
			// Only take into account arguments that start with `--`. The others are for the fuzz engine:
			// `fuzz -runs=1 fuzz_seed_corpus/address_deserialize_v2 --checkaddrman=5`
			`if (strlen(argv[i]) > 2 && argv[i][0] == '-' && argv[i][1] == '-') {`
			`g_args.push_back(argv[i]);`
			`}`
			`}`
			`}`

			`const std::function<std::vector<const char*>()> G_TEST_COMMAND_LINE_ARGUMENTS = []() {`
			`return g_args;`
			`};`
test: parse the command line arguments in unit tests Retrieve the command line arguments from boost and pass them to `BasicTestingSetup` so that we gain extra flexibility of passing any config options on the test command line, e.g.: ``` test_bitcoin -- -printtoconsole=1 -checkaddrman=5 ``` 2021-10-08 18:11:40 +02:00
fuzz: Hide script_assets_test_minimizer Can be reviewed with --ignore-all-space 2021-02-08 10:13:08 +01:00			`std::map<std::string_view, std::tuple<TypeTestOneInput, TypeInitialize, TypeHidden>>& FuzzTargets()`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`{`
fuzz: Hide script_assets_test_minimizer Can be reviewed with --ignore-all-space 2021-02-08 10:13:08 +01:00			`static std::map<std::string_view, std::tuple<TypeTestOneInput, TypeInitialize, TypeHidden>> g_fuzz_targets;`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`return g_fuzz_targets;`
			`}`

fuzz: Hide script_assets_test_minimizer Can be reviewed with --ignore-all-space 2021-02-08 10:13:08 +01:00			`void FuzzFrameworkRegisterTarget(std::string_view name, TypeTestOneInput target, TypeInitialize init, TypeHidden hidden)`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`{`
fuzz: Hide script_assets_test_minimizer Can be reviewed with --ignore-all-space 2021-02-08 10:13:08 +01:00			`const auto it_ins = FuzzTargets().try_emplace(name, std::move(target), std::move(init), hidden);`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`Assert(it_ins.second);`
			`}`

			`static TypeTestOneInput* g_test_one_input{nullptr};`

			`void initialize()`
			`{`
fuzz: Terminate immediately if a fuzzing harness ever tries to create a TCP socket (belt and suspenders) 2021-05-20 19:01:46 +00:00			`// Terminate immediately if a fuzzing harness ever tries to create a TCP socket.`
			`CreateSock = [](const CService&) -> std::unique_ptr<Sock> { std::terminate(); };`

fuzz: Terminate immediately if a fuzzing harness ever tries to perform a DNS lookup (belts and suspenders) 2021-05-21 19:43:15 +00:00			`// Terminate immediately if a fuzzing harness ever tries to perform a DNS lookup.`
			`g_dns_lookup = [](const std::string& name, bool allow_lookup) {`
			`if (allow_lookup) {`
			`std::terminate();`
			`}`
			`return WrappedGetAddrInfo(name, false);`
			`};`

fuzz: Add WRITE_ALL_FUZZ_TARGETS_AND_ABORT 2021-05-07 11:04:01 +02:00			`bool should_abort{false};`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`if (std::getenv("PRINT_ALL_FUZZ_TARGETS_AND_ABORT")) {`
			`for (const auto& t : FuzzTargets()) {`
fuzz: Hide script_assets_test_minimizer Can be reviewed with --ignore-all-space 2021-02-08 10:13:08 +01:00			`if (std::get<2>(t.second)) continue;`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`std::cout << t.first << std::endl;`
			`}`
fuzz: Add WRITE_ALL_FUZZ_TARGETS_AND_ABORT 2021-05-07 11:04:01 +02:00			`should_abort = true;`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`}`
fuzz: Add WRITE_ALL_FUZZ_TARGETS_AND_ABORT 2021-05-07 11:04:01 +02:00			`if (const char* out_path = std::getenv("WRITE_ALL_FUZZ_TARGETS_AND_ABORT")) {`
			`std::cout << "Writing all fuzz target names to '" << out_path << "'." << std::endl;`
refactor: replace boost::filesystem with std::filesystem Warning: Replacing fs::system_complete calls with fs::absolute calls in this commit may cause minor changes in behaviour because fs::absolute no longer strips trailing slashes; however these changes are believed to be safe. Co-authored-by: Russell Yanofsky <russ@yanofsky.org> Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com> 2020-06-11 08:58:46 +02:00			`std::ofstream out_stream{out_path, std::ios::binary};`
fuzz: Add WRITE_ALL_FUZZ_TARGETS_AND_ABORT 2021-05-07 11:04:01 +02:00			`for (const auto& t : FuzzTargets()) {`
			`if (std::get<2>(t.second)) continue;`
			`out_stream << t.first << std::endl;`
			`}`
			`should_abort = true;`
			`}`
			`Assert(!should_abort);`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`std::string_view fuzz_target{Assert(std::getenv("FUZZ"))};`
			`const auto it = FuzzTargets().find(fuzz_target);`
			`Assert(it != FuzzTargets().end());`
			`Assert(!g_test_one_input);`
			`g_test_one_input = &std::get<0>(it->second);`
			`std::get<1>(it->second)();`
			`}`

scripted-diff: Rename PROVIDE_MAIN_FUNCTION -> PROVIDE_FUZZ_MAIN_FUNCTION -BEGIN VERIFY SCRIPT- sed -i -e 's/PROVIDE_MAIN_FUNCTION/PROVIDE_FUZZ_MAIN_FUNCTION/g' $(git grep -l PROVIDE_MAIN_FUNCTION) -END VERIFY SCRIPT- 2021-02-11 11:28:38 +01:00			`#if defined(PROVIDE_FUZZ_MAIN_FUNCTION)`
test: Build fuzz targets into seperate executables 2019-01-25 18:35:36 -05:00			`static bool read_stdin(std::vector<uint8_t>& data)`
			`{`
			`uint8_t buffer[1024];`
			`ssize_t length = 0;`
			`while ((length = read(STDIN_FILENO, buffer, 1024)) > 0) {`
			`data.insert(data.end(), buffer, buffer + length);`
			`}`
			`return length == 0;`
			`}`
test: only declare a main() when fuzzing with AFL libFuzzer will provide a main(). This also fixes a weak linking issue when fuzzing with libFuzzer on macOS. 2020-01-27 14:51:33 +08:00			`#endif`
test: Build fuzz targets into seperate executables 2019-01-25 18:35:36 -05:00
			`// This function is used by libFuzzer`
			`extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)`
			`{`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`static const auto& test_one_input = *Assert(g_test_one_input);`
fuzz: Avoid extraneous copy of input data, using Span<> 2021-01-02 19:29:36 +01:00			`test_one_input({data, size});`
test: Build fuzz targets into seperate executables 2019-01-25 18:35:36 -05:00			`return 0;`
			`}`

			`// This function is used by libFuzzer`
			`extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv)`
			`{`
fuzz: parse the command line arguments in fuzz tests Retrieve the command line arguments from the fuzzer and save them for later retrieval by `BasicTestingSetup` so that we gain extra flexibility of passing any config options on the test command line, e.g.: ``` FUZZ=addrman ./src/test/fuzz/fuzz --checkaddrman=5 ``` A fuzz test should call `MakeNoLogFileContext<>()` in its initialize function in order to invoke the constructor of `BasicTestingSetup`, which sets `gArgs`. 2021-10-26 17:26:16 +02:00			`SetArgs(argc, argv);`
test: Build fuzz targets into seperate executables 2019-01-25 18:35:36 -05:00			`initialize();`
			`return 0;`
			`}`

scripted-diff: Rename PROVIDE_MAIN_FUNCTION -> PROVIDE_FUZZ_MAIN_FUNCTION -BEGIN VERIFY SCRIPT- sed -i -e 's/PROVIDE_MAIN_FUNCTION/PROVIDE_FUZZ_MAIN_FUNCTION/g' $(git grep -l PROVIDE_MAIN_FUNCTION) -END VERIFY SCRIPT- 2021-02-11 11:28:38 +01:00			`#if defined(PROVIDE_FUZZ_MAIN_FUNCTION)`
Fix fuzz binary compilation under windows 2021-02-18 13:25:30 -05:00			`int main(int argc, char** argv)`
test: Build fuzz targets into seperate executables 2019-01-25 18:35:36 -05:00			`{`
			`initialize();`
fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`static const auto& test_one_input = *Assert(g_test_one_input);`
test: Build fuzz targets into seperate executables 2019-01-25 18:35:36 -05:00			`#ifdef __AFL_INIT`
			`// Enable AFL deferred forkserver mode. Requires compilation using`
			`// afl-clang-fast++. See fuzzing.md for details.`
			`__AFL_INIT();`
			`#endif`

			`#ifdef __AFL_LOOP`
			`// Enable AFL persistent mode. Requires compilation using afl-clang-fast++.`
			`// See fuzzing.md for details.`
			`while (__AFL_LOOP(1000)) {`
			`std::vector<uint8_t> buffer;`
			`if (!read_stdin(buffer)) {`
			`continue;`
			`}`
			`test_one_input(buffer);`
			`}`
			`#else`
			`std::vector<uint8_t> buffer;`
			`if (!read_stdin(buffer)) {`
			`return 0;`
			`}`
			`test_one_input(buffer);`
			`#endif`
			`return 0;`
			`}`
test: only declare a main() when fuzzing with AFL libFuzzer will provide a main(). This also fixes a weak linking issue when fuzzing with libFuzzer on macOS. 2020-01-27 14:51:33 +08:00			`#endif`