1*890232f2SAndroid Build Coastguard Worker# Test Flatbuffers library with help of libFuzzer 2*890232f2SAndroid Build Coastguard WorkerTest suite of Flatbuffers library has fuzzer section with tests are based on libFuzzer library. 3*890232f2SAndroid Build Coastguard Worker 4*890232f2SAndroid Build Coastguard Worker> LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. 5*890232f2SAndroid Build Coastguard WorkerLibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka “target function”); 6*890232f2SAndroid Build Coastguard Workerthe fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. 7*890232f2SAndroid Build Coastguard WorkerThe code coverage information for libFuzzer is provided by LLVM’s SanitizerCoverage instrumentation. 8*890232f2SAndroid Build Coastguard Worker 9*890232f2SAndroid Build Coastguard WorkerFor details about **libFuzzer** see: https://llvm.org/docs/LibFuzzer.html 10*890232f2SAndroid Build Coastguard Worker 11*890232f2SAndroid Build Coastguard WorkerTo build and run these tests LLVM compiler (with clang frontend) and CMake should be installed before. 12*890232f2SAndroid Build Coastguard Worker 13*890232f2SAndroid Build Coastguard WorkerThe fuzzer section include four tests: 14*890232f2SAndroid Build Coastguard Worker- `annotator_fuzzer` checks that inputs given to the flatc --annotate are always parsable; 15*890232f2SAndroid Build Coastguard Worker- `verifier_fuzzer` checks stability of deserialization engine for `Monster` schema; 16*890232f2SAndroid Build Coastguard Worker- `parser_fuzzer` checks stability of schema and json parser under various inputs; 17*890232f2SAndroid Build Coastguard Worker- `scalar_parser` focused on validation of the parser while parse numeric scalars in schema and/or json files; 18*890232f2SAndroid Build Coastguard Worker- `flexverifier_fuzzer` checks stability of deserialization engine for FlexBuffers only; 19*890232f2SAndroid Build Coastguard Worker 20*890232f2SAndroid Build Coastguard Worker## Build 21*890232f2SAndroid Build Coastguard Worker```sh 22*890232f2SAndroid Build Coastguard Workercd tests/fuzzer 23*890232f2SAndroid Build Coastguard WorkerCC=clang CXX=clang++ cmake . -DCMAKE_BUILD_TYPE=Debug -DUSE_ASAN=ON 24*890232f2SAndroid Build Coastguard Worker``` 25*890232f2SAndroid Build Coastguard Worker 26*890232f2SAndroid Build Coastguard Worker## Run tests with a specific locale 27*890232f2SAndroid Build Coastguard WorkerThe grammar of the Flatbuffers library is based on printable-ASCII characters. 28*890232f2SAndroid Build Coastguard WorkerBy design, the Flatbuffers library should be independent of the global or thread locales used by an end-user application. 29*890232f2SAndroid Build Coastguard WorkerSet environment variable `FLATBUFFERS_TEST_LOCALE` to run a fuzzer with a specific C-locale: 30*890232f2SAndroid Build Coastguard Worker```sh 31*890232f2SAndroid Build Coastguard Worker>FLATBUFFERS_TEST_LOCALE="" ./scalar_parser 32*890232f2SAndroid Build Coastguard Worker>FLATBUFFERS_TEST_LOCALE="ru_RU.CP1251" ./parser_fuzzer 33*890232f2SAndroid Build Coastguard Worker``` 34*890232f2SAndroid Build Coastguard Worker 35*890232f2SAndroid Build Coastguard Worker## Run fuzzer 36*890232f2SAndroid Build Coastguard WorkerThese are examples of running a fuzzer. 37*890232f2SAndroid Build Coastguard WorkerFlags may vary and depend on a version of the libFuzzer library. 38*890232f2SAndroid Build Coastguard WorkerFor details, run a fuzzer with `-help` flag: `./parser_fuzzer -help=1` 39*890232f2SAndroid Build Coastguard Worker 40*890232f2SAndroid Build Coastguard Worker`./verifier_fuzzer ../.corpus_verifier/ ../.seed_verifier/` 41*890232f2SAndroid Build Coastguard Worker 42*890232f2SAndroid Build Coastguard Worker`./parser_fuzzer -only_ascii=1 -max_len=500 -dict=../parser_fbs.dict ../.corpus_parser/ ../.seed_parser/` 43*890232f2SAndroid Build Coastguard Worker 44*890232f2SAndroid Build Coastguard Worker`./monster_fuzzer -only_ascii=1 -max_len=500 -dict=../monster_json.dict ../.corpus_monster/ ../.seed_monster/` 45*890232f2SAndroid Build Coastguard Worker 46*890232f2SAndroid Build Coastguard Worker`./scalar_fuzzer -use_value_profile=1 -max_len=500 -dict=../scalar_json.dict ../.corpus_scalar/ ../.seed_scalar/` 47*890232f2SAndroid Build Coastguard Worker 48*890232f2SAndroid Build Coastguard WorkerFlag `-only_ascii=1` is useful for fast number-compatibility checking while run `scalar_fuzzer`. 49*890232f2SAndroid Build Coastguard Worker 50*890232f2SAndroid Build Coastguard WorkerRun with a specific C-locale: 51*890232f2SAndroid Build Coastguard Worker`FLATBUFFERS_TEST_LOCALE="ru_RU.CP1251" ./scalar_fuzzer -reduce_depth=1 -use_value_profile=1 -shrink=1 -max_len=3000 -timeout=10 -rss_limit_mb=2048 ../.corpus_parser/ ../.seed_parser/` 52*890232f2SAndroid Build Coastguard Worker 53*890232f2SAndroid Build Coastguard Worker 54*890232f2SAndroid Build Coastguard Worker## Merge (minimize) corpus 55*890232f2SAndroid Build Coastguard WorkerThe **libFuzzer** allow to filter (minimize) corpus with help of `-merge` flag: 56*890232f2SAndroid Build Coastguard Worker> -merge 57*890232f2SAndroid Build Coastguard Worker If set to 1, any corpus inputs from the 2nd, 3rd etc. corpus directories that trigger new code coverage will be merged into the first corpus directory. 58*890232f2SAndroid Build Coastguard Worker Defaults to 0. This flag can be used to minimize a corpus. 59*890232f2SAndroid Build Coastguard Worker 60*890232f2SAndroid Build Coastguard WorkerMerge several corpuses to a seed directory (a new collected corpus to the seed collection, for example): 61*890232f2SAndroid Build Coastguard Worker`./verifier_fuzzer -merge=1 ../.seed_verifier/ ../.corpus_verifier/` 62*890232f2SAndroid Build Coastguard Worker`./parser_fuzzer -merge=1 ../.seed_parser/ ../.corpus_parser/` 63*890232f2SAndroid Build Coastguard Worker`./monster_fuzzer -merge=1 ../.seed_monster/ ../.corpus_monster/` 64*890232f2SAndroid Build Coastguard Worker`./scalar_fuzzer -merge=1 ../.seed_scalar/ ../.corpus_scalar/` 65*890232f2SAndroid Build Coastguard Worker 66*890232f2SAndroid Build Coastguard Worker## Know limitations 67*890232f2SAndroid Build Coastguard Worker- LLVM 7.0 std::regex library has problem with stack overflow, maximum length of input for `scalar_fuzzer` run should be limited to 3000. 68*890232f2SAndroid Build Coastguard Worker Example: `./scalar_fuzzer -max_len=3000` 69*890232f2SAndroid Build Coastguard Worker 70*890232f2SAndroid Build Coastguard Worker# Fuzzing control 71*890232f2SAndroid Build Coastguard Worker 72*890232f2SAndroid Build Coastguard Worker## Set timeout or memory limit 73*890232f2SAndroid Build Coastguard Worker 74*890232f2SAndroid Build Coastguard Worker`-timeout=10 -rss_limit_mb=2048 -jobs=4 -workers=4`. 75*890232f2SAndroid Build Coastguard Worker 76*890232f2SAndroid Build Coastguard Worker## Force stop on first UBSAN error 77*890232f2SAndroid Build Coastguard Worker 78*890232f2SAndroid Build Coastguard Worker- `export UBSAN_OPTIONS=halt_on_error=1` 79*890232f2SAndroid Build Coastguard Worker- `export ASAN_OPTIONS=halt_on_error=1` 80