##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

fuzz: new fuzzer for cext/manifest.c...
fuzz: new fuzzer for cext/manifest.c This is a bit messy, because lazymanifest is tightly coupled to the cpython API for performance reasons. As a result, we have to build a whole Python without pymalloc (so ASAN can help us out) and link against that. Then we have to use an embedded Python interpreter. We could manually drive the lazymanifest in C from that point, but experimentally just using PyEval_EvalCode isn't really any slower so we may as well do that and write the innermost guts of the fuzzer in Python. Leak detection is currently disabled for this fuzzer because there are a few global-lifetime things in our extensions that we more or less intentionally leak and I didn't want to take the detour to work around that for now. This should not be pushed to our repo until https://github.com/google/oss-fuzz/pull/1853 is merged, as this depends on having the Python tarball around. Differential Revision: https://phab.mercurial-scm.org/D4879
Augie Fackler - - Load All Authors

File last commit:

r40089:8c692a6b default
r40089:8c692a6b default
Show More
manifest.cc
75 lines | 2.2 KiB | text/x-c | CppLexer
/ contrib / fuzz / manifest.cc
History | Annotation | Raw |Copy content |Copy permalink
#include <Python.h>
#include <assert.h>
#include <stdlib.h>
#include <unistd.h>
#include <string>
extern "C" {
/* TODO: use Python 3 for this fuzzing? */
PyMODINIT_FUNC initparsers(void);
static char cpypath[8192] = "\0";
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv)
{
const std::string subdir = "/sanpy/lib/python2.7";
/* HACK ALERT: we need a full Python installation built without
pymalloc and with ASAN, so we dump one in
$OUT/sanpy/lib/python2.7. This helps us wire that up. */
std::string selfpath(*argv[0]);
std::string pypath;
auto pos = selfpath.rfind("/");
if (pos == std::string::npos) {
char wd[8192];
getcwd(wd, 8192);
pypath = std::string(wd) + subdir;
} else {
pypath = selfpath.substr(0, pos) + subdir;
}
strncpy(cpypath, pypath.c_str(), pypath.size());
setenv("PYTHONPATH", cpypath, 1);
Py_SetPythonHome(cpypath);
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
Py_InitializeEx(0);
initparsers();
PyObject *mtext =
PyBytes_FromStringAndSize((const char *)Data, (Py_ssize_t)Size);
PyObject *mainmod = PyImport_AddModule("__main__");
PyObject *globals = PyModule_GetDict(mainmod);
PyObject *locals = PyDict_New();
PyDict_SetItemString(locals, "mdata", mtext);
PyCodeObject *code =
(PyCodeObject *)Py_CompileString(R"py(
from parsers import lazymanifest
lm = lazymanifest(mdata)
try:
# iterate the whole thing, which causes the code to fully parse
# every line in the manifest
list(lm.iterentries())
lm[b'xyzzy'] = (b'\0' * 20, 'x')
# do an insert, text should change
assert lm.text() != mdata, "insert should change text and didn't: %r %r" % (lm.text(), mdata)
del lm[b'xyzzy']
# should be back to the same
assert lm.text() == mdata, "delete should have restored text but didn't: %r %r" % (lm.text(), mdata)
except Exception as e:
pass
# uncomment this print if you're editing this Python code
# to debug failures.
# print e
)py",
"fuzzer", Py_file_input);
PyEval_EvalCode(code, globals, locals);
Py_DECREF(code);
Py_DECREF(locals);
Py_DECREF(mtext);
Py_Finalize();
return 0; // Non-zero return values are reserved for future use.
}
}