Bug 1334062 - Remove libFuzzer dependencies from fuzzers r=franziskus

Differential Revision: https://nss-review.dev.mozaws.net/D177
author: Tim Taubert <ttaubert@mozilla.com> 2017-01-26 11:11:11 +0100
committer: Tim Taubert <ttaubert@mozilla.com> 2017-01-26 11:11:11 +0100
commit: 8755e4aaa86ba5c53b3a76825bd97d6ded40d503 (patch)
tree: 291649bee01ce3038c7a36368bae19b9ba7edf22
parent: 4bd75b18618066d0a6230c876a1bc3f597004484 (diff)
download: nss-hg-8755e4aaa86ba5c53b3a76825bd97d6ded40d503.tar.gz
12 files changed, 68 insertions, 128 deletions
diff --git a/automation/ossfuzz/build.sh b/automation/ossfuzz/build.sh
index 2a74426aa..324c33a0e 100755
--- a/automation/ossfuzz/build.sh
+++ b/automation/ossfuzz/build.sh
@@ -10,8 +10,8 @@
 declare -A disabled=([pkcs8]=1)
 
 # Build the library.
-CXX="$CXX -stdlib=libc++" CXXFLAGS="$CXXFLAGS -I$SRC/libfuzzer" \
-    LDFLAGS="$CFLAGS" ./build.sh -c -v --fuzz=oss --fuzz=tls --disable-tests
+CXX="$CXX -stdlib=libc++" LDFLAGS="$CFLAGS" \
+    ./build.sh -c -v --fuzz=oss --fuzz=tls --disable-tests
 
 # Find fuzzing targets.
 for fuzzer in $(find ../dist/Debug/bin -name "nssfuzz-*" -printf "%f\n"); do
diff --git a/automation/taskcluster/graph/src/extend.js b/automation/taskcluster/graph/src/extend.js
index ce4e91ae9..cfa57f74b 100644
--- a/automation/taskcluster/graph/src/extend.js
+++ b/automation/taskcluster/graph/src/extend.js
@@ -325,12 +325,29 @@ async function scheduleFuzzing() {
 
   queue.scheduleTask(merge(base, {
     parent: task_build,
+    name: "Hash",
+    command: [
+      "/bin/bash",
+      "-c",
+      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
+        "hash nss/fuzz/corpus/hash -max_total_time=300 -max_len=4096"
+    ],
+    // Need a privileged docker container to remove detect_leaks=0.
+    env: {
+      ASAN_OPTIONS: "allocator_may_return_null=1:detect_leaks=0",
+    },
+    symbol: "Hash",
+    kind: "test"
+  }));
+
+  queue.scheduleTask(merge(base, {
+    parent: task_build,
     name: "QuickDER",
     command: [
       "/bin/bash",
       "-c",
       "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
-        "quickder nss/fuzz/corpus/quickder -max_total_time=300"
+        "quickder nss/fuzz/corpus/quickder -max_total_time=300 -max_len=10000"
     ],
     // Need a privileged docker container to remove detect_leaks=0.
     env: {
diff --git a/automation/taskcluster/scripts/fuzz.sh b/automation/taskcluster/scripts/fuzz.sh
index ed25a805f..72f9f18ea 100755
--- a/automation/taskcluster/scripts/fuzz.sh
+++ b/automation/taskcluster/scripts/fuzz.sh
@@ -11,8 +11,15 @@ fetch_dist
 # Clone corpus.
 ./nss/fuzz/clone_corpus.sh
 
-# Ensure we have a directory.
-mkdir -p nss/fuzz/corpus/$type
+# Ensure we have a corpus.
+if [ ! -d "nss/fuzz/corpus/$type" ]; then
+  mkdir -p nss/fuzz/corpus/$type
+
+  # Create a corpus out of what we have.
+  for f in $(find nss/fuzz/corpus -type f); do
+    cp $f "nss/fuzz/corpus/$type"
+  done
+fi
 
 # Fetch objdir name.
 objdir=$(cat dist/latest)
diff --git a/fuzz/asn1_mutators.cc b/fuzz/asn1_mutators.cc
index a7c952290..e0f7a0236 100644
--- a/fuzz/asn1_mutators.cc
+++ b/fuzz/asn1_mutators.cc
@@ -3,10 +3,10 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include <assert.h>
+#include <random>
 #include <string.h>
 #include <tuple>
 
-#include "FuzzerRandom.h"
 #include "asn1_mutators.h"
 
 using namespace std;
@@ -94,9 +94,11 @@ static vector<uint8_t *> ParseItems(uint8_t *Data, size_t Size) {
 
 size_t ASN1MutatorFlipConstructed(uint8_t *Data, size_t Size, size_t MaxSize,
                                   unsigned int Seed) {
-  fuzzer::Random R(Seed);
   auto items = ParseItems(Data, Size);
-  uint8_t *item = items.at(R(items.size()));
+
+  std::mt19937 rng(Seed);
+  std::uniform_int_distribution<size_t> dist(0, items.size() - 1);
+  uint8_t *item = items.at(dist(rng));
 
   // Flip "constructed" type bit.
   item[0] ^= 0x20;
@@ -106,12 +108,15 @@ size_t ASN1MutatorFlipConstructed(uint8_t *Data, size_t Size, size_t MaxSize,
 
 size_t ASN1MutatorChangeType(uint8_t *Data, size_t Size, size_t MaxSize,
                              unsigned int Seed) {
-  fuzzer::Random R(Seed);
   auto items = ParseItems(Data, Size);
-  uint8_t *item = items.at(R(items.size()));
 
-  // Change type to a random int [0, 31).
-  item[0] = R(31);
+  std::mt19937 rng(Seed);
+  std::uniform_int_distribution<size_t> dist(0, items.size() - 1);
+  uint8_t *item = items.at(dist(rng));
+
+  // Change type to a random int [0, 30].
+  static std::uniform_int_distribution<size_t> tdist(0, 30);
+  item[0] = tdist(rng);
 
   return Size;
 }
diff --git a/fuzz/cert_target.cc b/fuzz/cert_target.cc
deleted file mode 100644
index bcbef0a4e..000000000
--- a/fuzz/cert_target.cc
+++ /dev/null
@@ -1,17 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "FuzzerInternal.h"
-#include "asn1_mutators.h"
-#include "shared.h"
-
-extern const uint16_t DEFAULT_MAX_LENGTH = 3072U;
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  CERTCertificate cert;
-  QuickDERDecode(&cert, SEC_SignedCertificateTemplate, Data, Size);
-  return 0;
-}
-
-ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType})
diff --git a/fuzz/fuzz.gyp b/fuzz/fuzz.gyp
index 1ccc9df8f..98c87ad24 100644
--- a/fuzz/fuzz.gyp
+++ b/fuzz/fuzz.gyp
@@ -92,7 +92,6 @@
       'type': 'executable',
       'sources': [
         'asn1_mutators.cc',
-        'initialize.cc',
         'pkcs8_target.cc',
       ],
       'dependencies': [
@@ -105,7 +104,6 @@
       'type': 'executable',
       'sources': [
         'asn1_mutators.cc',
-        'initialize.cc',
         'quickder_target.cc',
       ],
       'dependencies': [
@@ -118,7 +116,6 @@
       'type': 'executable',
       'sources': [
         'hash_target.cc',
-        'initialize.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
diff --git a/fuzz/hash_target.cc b/fuzz/hash_target.cc
index dad89e8e3..87b0f82c7 100644
--- a/fuzz/hash_target.cc
+++ b/fuzz/hash_target.cc
@@ -5,14 +5,11 @@
 #include <memory>
 #include <vector>
 
-#include "FuzzerInternal.h"
 #include "hasht.h"
 #include "pk11pub.h"
 #include "secoidt.h"
 #include "shared.h"
 
-extern const uint16_t DEFAULT_MAX_LENGTH = 4096U;
-
 const std::vector<SECOidTag> algos = {SEC_OID_MD5, SEC_OID_SHA1, SEC_OID_SHA256,
                                       SEC_OID_SHA384, SEC_OID_SHA512};
 
diff --git a/fuzz/initialize.cc b/fuzz/initialize.cc
deleted file mode 100644
index 220d50ed1..000000000
--- a/fuzz/initialize.cc
+++ /dev/null
@@ -1,54 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <string.h>
-#include <algorithm>
-#include <iostream>
-#include <vector>
-
-#include "assert.h"
-
-extern const uint16_t DEFAULT_MAX_LENGTH;
-
-const uint16_t MERGE_MAX_LENGTH = 50000U;
-
-extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
-  std::vector<std::string> args(*argv, *argv + *argc);
-
-  auto hasMaxLenArg = [](std::string &a) { return a.find("-max_len=") == 0; };
-
-  // Nothing to do if a max_len argument is given.
-  if (any_of(args.begin(), args.end(), hasMaxLenArg)) {
-    return 0;
-  }
-
-  auto hasMergeArg = [](std::string &a) { return a.find("-merge=1") == 0; };
-
-  uint16_t max_length = DEFAULT_MAX_LENGTH;
-
-  // Set specific max_len when merging.
-  if (any_of(args.begin(), args.end(), hasMergeArg)) {
-    max_length = MERGE_MAX_LENGTH;
-  }
-
-  std::cerr << "INFO: MaxLen: " << max_length << std::endl;
-  std::string param = "-max_len=" + std::to_string(max_length);
-
-  // Copy original arguments.
-  char **new_args = new char *[*argc + 1];
-  for (int i = 0; i < *argc; i++) {
-    new_args[i] = (*argv)[i];
-  }
-
-  // Append corpus max length.
-  size_t param_len = param.size() + 1;
-  new_args[*argc] = new char[param_len];
-  memcpy(new_args[*argc], param.c_str(), param_len);
-
-  // Update arguments.
-  (*argc)++;
-  *argv = new_args;
-
-  return 0;
-}
diff --git a/fuzz/pkcs8_target.cc b/fuzz/pkcs8_target.cc
index 04a157a53..4c6849090 100644
--- a/fuzz/pkcs8_target.cc
+++ b/fuzz/pkcs8_target.cc
@@ -8,13 +8,10 @@
 #include "keyhi.h"
 #include "pk11pub.h"
 
-#include "FuzzerInternal.h"
 #include "asn1_mutators.h"
 #include "assert.h"
 #include "shared.h"
 
-extern const uint16_t DEFAULT_MAX_LENGTH = 2048U;
-
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
   SECItem data = {siBuffer, (unsigned char *)Data, (unsigned int)Size};
 
@@ -35,4 +32,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
   return 0;
 }
 
-ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType})
+extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
+                                          size_t MaxSize, unsigned int Seed) {
+  static Mutators mutators = {&ASN1MutatorFlipConstructed,
+                              &ASN1MutatorChangeType};
+  return CustomMutate(mutators, Data, Size, MaxSize, Seed);
+}
diff --git a/fuzz/quickder_target.cc b/fuzz/quickder_target.cc
index 08df137cb..4d6277d3b 100644
--- a/fuzz/quickder_target.cc
+++ b/fuzz/quickder_target.cc
@@ -2,7 +2,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#include "FuzzerInternal.h"
 #include "asn1_mutators.h"
 #include "shared.h"
 
@@ -62,8 +61,6 @@ const std::vector<const SEC_ASN1Template *> templates = {
     SECKEY_RSAPublicKeyTemplate,
     SECOID_AlgorithmIDTemplate};
 
-extern const uint16_t DEFAULT_MAX_LENGTH = 10000U;
-
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
   char *dest[2048];
 
@@ -80,4 +77,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
   return 0;
 }
 
-ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType})
+extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
+                                          size_t MaxSize, unsigned int Seed) {
+  static Mutators mutators = {&ASN1MutatorFlipConstructed,
+                              &ASN1MutatorChangeType};
+  return CustomMutate(mutators, Data, Size, MaxSize, Seed);
+}
diff --git a/fuzz/shared.h b/fuzz/shared.h
index bfa4e8f52..24ca51f85 100644
--- a/fuzz/shared.h
+++ b/fuzz/shared.h
@@ -7,33 +7,34 @@
 #ifndef shared_h__
 #define shared_h__
 
-#include "FuzzerRandom.h"
+#include <assert.h>
+#include <random>
 #include "cert.h"
 #include "nss.h"
 
+extern "C" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
+extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
+                                          size_t MaxSize, unsigned int Seed);
+
 class NSSDatabase {
  public:
   NSSDatabase() { assert(NSS_NoDB_Init(nullptr) == SECSuccess); }
   ~NSSDatabase() { assert(NSS_Shutdown() == SECSuccess); }
 };
 
-size_t CustomMutate(std::vector<decltype(LLVMFuzzerCustomMutator) *> mutators,
-                    uint8_t *Data, size_t Size, size_t MaxSize,
-                    unsigned int Seed) {
-  fuzzer::Random R(Seed);
+typedef std::vector<decltype(LLVMFuzzerCustomMutator) *> Mutators;
+
+size_t CustomMutate(Mutators &mutators, uint8_t *Data, size_t Size,
+                    size_t MaxSize, unsigned int Seed) {
+  std::mt19937 rng(Seed);
+  static std::bernoulli_distribution bdist;
 
-  if (R.RandBool()) {
-    auto idx = R(mutators.size());
-    return mutators.at(idx)(Data, Size, MaxSize, Seed);
+  if (bdist(rng)) {
+    std::uniform_int_distribution<size_t> idist(0, mutators.size() - 1);
+    return mutators.at(idist(rng))(Data, Size, MaxSize, Seed);
   }
 
   return LLVMFuzzerMutate(Data, Size, MaxSize);
 }
 
-#define ADD_CUSTOM_MUTATORS(...)                                       \
-  extern "C" size_t LLVMFuzzerCustomMutator(                           \
-      uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) { \
-    return CustomMutate(__VA_ARGS__, Data, Size, MaxSize, Seed);       \
-  }
-
 #endif  // shared_h__
diff --git a/fuzz/spki_target.cc b/fuzz/spki_target.cc
deleted file mode 100644
index 708ba3bf8..000000000
--- a/fuzz/spki_target.cc
+++ /dev/null
@@ -1,17 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "FuzzerInternal.h"
-#include "asn1_mutators.h"
-#include "shared.h"
-
-extern const uint16_t DEFAULT_MAX_LENGTH = 1024U;
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-  CERTSubjectPublicKeyInfo spki;
-  QuickDERDecode(&spki, CERT_SubjectPublicKeyInfoTemplate, Data, Size);
-  return 0;
-}
-
-ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType})
author	Tim Taubert <ttaubert@mozilla.com>	2017-01-26 11:11:11 +0100
committer	Tim Taubert <ttaubert@mozilla.com>	2017-01-26 11:11:11 +0100
commit	8755e4aaa86ba5c53b3a76825bd97d6ded40d503 (patch)
tree	291649bee01ce3038c7a36368bae19b9ba7edf22
parent	4bd75b18618066d0a6230c876a1bc3f597004484 (diff)
download	nss-hg-8755e4aaa86ba5c53b3a76825bd97d6ded40d503.tar.gz