Updated fuzzer scripts

Point to new Chromium location Also enable UBSan Change-Id: I4ba182e3c6a967ad89090b776d05762fa9ae6e40
2018-07-16 15:51:01 -07:00 · 2018-07-16 15:51:01 -07:00 · af6c0e6839
parent 7c3cb5caa1
commit af6c0e6839
4 changed files with 26 additions and 8 deletions
--- a/tests/fuzzer/build_fuzzer.sh
+++ b/tests/fuzzer/build_fuzzer.sh
@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer
-clang++ -c -g -O2 -std=c++11 Fuzzer/*.cpp -IFuzzer
+git clone https://chromium.googlesource.com/chromium/llvm-project/compiler-rt/lib/fuzzer
+clang++ -c -g -O2 -std=c++11 fuzzer/*.cpp -Ifuzzer
 ar ruv libFuzzer.a Fuzzer*.o
-rm -rf Fuzzer *.o
+rm -rf fuzzer *.o
--- a/tests/fuzzer/build_run_parser_test.sh
+++ b/tests/fuzzer/build_run_parser_test.sh
@ -14,7 +14,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-clang++ -fsanitize-coverage=edge -fsanitize=address -std=c++11 -stdlib=libstdc++ -I.. -I../../include flatbuffers_parser_fuzzer.cc ../../src/idl_parser.cpp ../../src/util.cpp libFuzzer.a -o fuzz_parser
+clang++ -fsanitize-coverage=edge -fsanitize=address -fsanitize=undefined \
+  -g -fno-omit-frame-pointer -std=c++11 -stdlib=libstdc++ \
+  -I.. -I../../include flatbuffers_parser_fuzzer.cc ../../src/idl_parser.cpp \
+  ../../src/util.cpp libFuzzer.a -o fuzz_parser
 mkdir -p parser_corpus
 cp ../*.json ../*.fbs parser_corpus
 ./fuzz_parser parser_corpus
--- a/tests/fuzzer/build_run_verifier_test.sh
+++ b/tests/fuzzer/build_run_verifier_test.sh
@ -14,7 +14,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-clang++ -fsanitize-coverage=edge -fsanitize=address -std=c++11 -stdlib=libstdc++ -I.. -I../../include flatbuffers_verifier_fuzzer.cc libFuzzer.a -o fuzz_verifier
+clang++ -fsanitize-coverage=edge -fsanitize=address -fsanitize=undefined \
+  -g -fno-omit-frame-pointer -std=c++11 -stdlib=libstdc++ \
+  -I.. -I../../include flatbuffers_verifier_fuzzer.cc libFuzzer.a -o fuzz_verifier
 mkdir -p verifier_corpus
 cp ../*.mon verifier_corpus
 ./fuzz_verifier verifier_corpus
--- a/tests/test.cpp
+++ b/tests/test.cpp
@ -1952,19 +1952,19 @@ void EndianSwapTest() {

 void UninitializedVectorTest() {
  flatbuffers::FlatBufferBuilder builder;
-  
+
  Test *buf = nullptr;
  auto vector_offset = builder.CreateUninitializedVectorOfStructs<Test>(2, &buf);
  TEST_NOTNULL(buf);
  buf[0] = Test(10, 20);
  buf[1] = Test(30, 40);
-  
+
  auto required_name = builder.CreateString("myMonster");
  auto monster_builder = MonsterBuilder(builder);
  monster_builder.add_name(required_name); // required field mandated for monster.
  monster_builder.add_test4(vector_offset);
  builder.Finish(monster_builder.Finish());
-  
+
  auto p = builder.GetBufferPointer();
  auto uvt = flatbuffers::GetRoot<Monster>(p);
  TEST_NOTNULL(uvt);
@ -1978,6 +1978,18 @@ void UninitializedVectorTest() {
  TEST_EQ(test_1->b(), 40);
 }

+// For testing any binaries, e.g. from fuzzing.
+void LoadVerifyBinaryTest() {
+  std::string binary;
+  if (flatbuffers::LoadFile((test_data_path +
+                             "fuzzer/your-filename-here").c_str(),
+                            true, &binary)) {
+    flatbuffers::Verifier verifier(
+          reinterpret_cast<const uint8_t *>(binary.data()), binary.size());
+    TEST_EQ(VerifyMonsterBuffer(verifier), true);
+  }
+}
+
 int main(int /*argc*/, const char * /*argv*/ []) {
  // clang-format off
  #if defined(FLATBUFFERS_MEMORY_LEAK_TRACKING) && \
@ -2021,6 +2033,7 @@ int main(int /*argc*/, const char * /*argv*/ []) {
    ReflectionTest(flatbuf.data(), flatbuf.size());
    ParseProtoTest();
    UnionVectorTest();
+    LoadVerifyBinaryTest();
  #endif
  // clang-format on