4ddf8e0f48
Coverage-guided structural search for crashes and undefined behaviour on arbitrary input to our two parsers. What's wired: - -DSECSGEM_FUZZ=ON CMake option, clang-only. Adds -fsanitize=fuzzer-no-link,address,undefined to all targets + -fsanitize=fuzzer to the two fuzz executables. - apps/fuzz_secs2_decode.cpp — feeds raw bytes to secs2::decode. Catches secs2::CodecError (expected) but traps on anything else leaking (would be a hardening bug). - apps/fuzz_sml_parse.cpp — feeds string to try_parse_sml, which is contractually nothrow-equivalent; traps on any exception. - .gitea/workflows/ci.yml — `libfuzzer` job builds with clang and runs each fuzzer for 60s in CI. Any crash / ASan / UBSan flag fails the job. - Dockerfile gains clang + libclang-rt-18-dev so devs can run locally with the same toolchain. Result on a fresh 30-second local run: fuzz_secs2_decode: 70 727 random inputs, 0 crashes fuzz_sml_parse: 284 950 random inputs, 0 crashes The coverage-guided search found and synthesized inputs that exercise: zero-byte, single-byte format tags, all length-byte counts (1/2/3), nested lists, format bytes with reserved bits, the "BOOLEAN" SML token, malformed quoted strings, etc. libFuzzer's recommended dictionary at the end of each run shows what bytes / substrings the coverage feedback discovered as discriminating — useful signals if we ever want a hand-curated corpus. README proof table grows to 8 commands. After this: - 426 unit tests (internal) - 47 conformance harness checks (internal) - 24 secsgem-py interop checks (external — Python ref impl) - 20 secs4j interop checks (external — independent Java impl) - 69 frames dissected by Wireshark HSMS dissector (external) - 196 SEMI E5 KAT assertions (standards body's encoding rules) - **~70k + ~285k random inputs, 0 crashes (external)** - 100k random tool ops with all invariants holding (internal) - YAML validation (internal) - TSan clean on 2 557 assertions (internal correctness aid) Five distinct external proofs now, each covering a different angle. Plan: VERIFICATION.md §4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
33 lines
1.1 KiB
C++
33 lines
1.1 KiB
C++
// libFuzzer harness for the SECS-II decoder.
|
|
//
|
|
// Feed arbitrary bytes to secs2::decode and assert no crash, no
|
|
// UB, no ASan-flagged memory error. Coverage-guided fuzzing
|
|
// explores edges that hand-written tests can't predict.
|
|
//
|
|
// Build: cmake -S . -B build-fuzz -G Ninja -DSECSGEM_FUZZ=ON
|
|
// Run: build-fuzz/fuzz_secs2_decode -max_total_time=300 -max_len=65536
|
|
|
|
#include <cstdint>
|
|
#include <cstddef>
|
|
#include <vector>
|
|
|
|
#include "secsgem/secs2/codec.hpp"
|
|
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
|
// The decoder is expected to throw secs2::CodecError on malformed
|
|
// input — that's the contract. Any other exception type, or a
|
|
// segfault / ASan flag, is a bug.
|
|
try {
|
|
std::vector<uint8_t> bytes(data, data + size);
|
|
auto item = secsgem::secs2::decode(bytes);
|
|
(void)item;
|
|
} catch (const secsgem::secs2::CodecError&) {
|
|
// expected: well-defined failure path
|
|
} catch (...) {
|
|
// anything else escaping is a hardening bug — crash so libFuzzer
|
|
// captures the input.
|
|
__builtin_trap();
|
|
}
|
|
return 0;
|
|
}
|