verify: libFuzzer harness for secs2::decode + try_parse_sml

Coverage-guided structural search for crashes and undefined behaviour
on arbitrary input to our two parsers.

What's wired:
- -DSECSGEM_FUZZ=ON CMake option, clang-only.  Adds
  -fsanitize=fuzzer-no-link,address,undefined to all targets +
  -fsanitize=fuzzer to the two fuzz executables.
- apps/fuzz_secs2_decode.cpp — feeds raw bytes to secs2::decode.
  Catches secs2::CodecError (expected) but traps on anything else
  leaking (would be a hardening bug).
- apps/fuzz_sml_parse.cpp — feeds string to try_parse_sml, which is
  contractually nothrow-equivalent; traps on any exception.
- .gitea/workflows/ci.yml — `libfuzzer` job builds with clang and
  runs each fuzzer for 60s in CI.  Any crash / ASan / UBSan flag
  fails the job.
- Dockerfile gains clang + libclang-rt-18-dev so devs can run
  locally with the same toolchain.

Result on a fresh 30-second local run:
  fuzz_secs2_decode:  70 727 random inputs, 0 crashes
  fuzz_sml_parse:    284 950 random inputs, 0 crashes

The coverage-guided search found and synthesized inputs that
exercise: zero-byte, single-byte format tags, all length-byte
counts (1/2/3), nested lists, format bytes with reserved bits, the
"BOOLEAN" SML token, malformed quoted strings, etc.  libFuzzer's
recommended dictionary at the end of each run shows what bytes /
substrings the coverage feedback discovered as discriminating —
useful signals if we ever want a hand-curated corpus.

README proof table grows to 8 commands.  After this:
  - 426 unit tests (internal)
  - 47 conformance harness checks (internal)
  - 24 secsgem-py interop checks (external — Python ref impl)
  - 20 secs4j interop checks (external — independent Java impl)
  - 69 frames dissected by Wireshark HSMS dissector (external)
  - 196 SEMI E5 KAT assertions (standards body's encoding rules)
  - **~70k + ~285k random inputs, 0 crashes (external)**
  - 100k random tool ops with all invariants holding (internal)
  - YAML validation (internal)
  - TSan clean on 2 557 assertions (internal correctness aid)

Five distinct external proofs now, each covering a different angle.

Plan: VERIFICATION.md §4.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-06-09 16:27:36 +02:00
parent 2fce2fad0c
commit 4ddf8e0f48
6 changed files with 134 additions and 0 deletions
+43
View File
@@ -142,3 +142,46 @@ jobs:
# that secsgem-py couldn't easily drive.
- name: secs4j cross-validation
run: bash interop/secs4j_validate.sh
libfuzzer:
runs-on: ubuntu-latest
container:
image: ubuntu:24.04
steps:
- name: Bootstrap (node + git)
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y --no-install-recommends \
git ca-certificates nodejs
- uses: actions/checkout@v4
- name: Install clang + libFuzzer runtime
run: |
export DEBIAN_FRONTEND=noninteractive
apt-get install -y --no-install-recommends \
cmake ninja-build \
libasio-dev libyaml-cpp-dev \
python3 python3-yaml \
clang libclang-rt-18-dev
- name: Configure (fuzz)
env:
CC: clang
CXX: clang++
run: cmake -S . -B build-fuzz -G Ninja
-DCMAKE_BUILD_TYPE=Debug
-DSECSGEM_FUZZ=ON
- name: Build fuzz targets
run: cmake --build build-fuzz --target fuzz_secs2_decode fuzz_sml_parse
# 60 seconds each — long enough for libFuzzer to explore the
# decoder/parser without ballooning CI time. Any crash, ASan
# report, or UBSan flag fails the job.
- name: Fuzz secs2::decode
run: build-fuzz/fuzz_secs2_decode -max_total_time=60 -max_len=4096
- name: Fuzz secs2::try_parse_sml
run: build-fuzz/fuzz_sml_parse -max_total_time=60 -max_len=4096