Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) Internet Systems Consortium, Inc. ("ISC") |
3 | | * |
4 | | * SPDX-License-Identifier: MPL-2.0 |
5 | | * |
6 | | * This Source Code Form is subject to the terms of the Mozilla Public |
7 | | * License, v. 2.0. If a copy of the MPL was not distributed with this |
8 | | * file, you can obtain one at https://mozilla.org/MPL/2.0/. |
9 | | * |
10 | | * See the COPYRIGHT file distributed with this work for additional |
11 | | * information regarding copyright ownership. |
12 | | */ |
13 | | |
14 | | #include <assert.h> |
15 | | #include <err.h> |
16 | | #include <stdbool.h> |
17 | | #include <stdint.h> |
18 | | |
19 | | #include <isc/random.h> |
20 | | #include <isc/refcount.h> |
21 | | #include <isc/rwlock.h> |
22 | | #include <isc/urcu.h> |
23 | | #include <isc/util.h> |
24 | | |
25 | | #include <dns/qp.h> |
26 | | #include <dns/types.h> |
27 | | |
28 | | #include "fuzz.h" |
29 | | #include "qp_p.h" |
30 | | |
31 | | #include <tests/qp.h> |
32 | | |
33 | | bool debug = false; |
34 | | |
35 | | #if 0 |
36 | | #define TRACE(...) warnx(__VA_ARGS__) |
37 | | #else |
38 | | #define TRACE(...) |
39 | | #endif |
40 | | |
41 | | #if 0 |
42 | | #define ASSERT(p) \ |
43 | | do { \ |
44 | | warnx("%s:%d: %s (%s)", __func__, __LINE__, #p, \ |
45 | | (p) ? "OK" : "FAIL"); \ |
46 | | ok = ok && (p); \ |
47 | | } while (0) |
48 | | #else |
49 | 88.2M | #define ASSERT(p) assert(p) |
50 | | #endif |
51 | | |
52 | | static struct { |
53 | | uint32_t refcount; |
54 | | bool exists; |
55 | | uint8_t len; |
56 | | dns_qpkey_t key; |
57 | | dns_qpkey_t ascii; |
58 | | } item[256 * 256 / 4]; |
59 | | |
60 | | static void |
61 | 8.32M | fuzz_attach(void *ctx, void *pval, uint32_t ival) { |
62 | 8.32M | assert(ctx == NULL); |
63 | 8.32M | assert(pval == &item[ival]); |
64 | 8.32M | item[ival].refcount++; |
65 | 8.32M | } |
66 | | |
67 | | static void |
68 | 8.32M | fuzz_detach(void *ctx, void *pval, uint32_t ival) { |
69 | 8.32M | assert(ctx == NULL); |
70 | 8.32M | assert(pval == &item[ival]); |
71 | 8.32M | item[ival].refcount--; |
72 | 8.32M | } |
73 | | |
74 | | static size_t |
75 | 23.9M | fuzz_makekey(dns_qpkey_t key, void *ctx, void *pval, uint32_t ival) { |
76 | 23.9M | assert(ctx == NULL); |
77 | 23.9M | assert(pval == &item[ival]); |
78 | 23.9M | memmove(key, item[ival].key, item[ival].len); |
79 | 23.9M | return (item[ival].len); |
80 | 23.9M | } |
81 | | |
82 | | static void |
83 | 0 | fuzz_triename(void *ctx, char *buf, size_t size) { |
84 | 0 | assert(ctx == NULL); |
85 | 0 | strlcpy(buf, "fuzz", size); |
86 | 0 | } |
87 | | |
88 | | const dns_qpmethods_t fuzz_methods = { |
89 | | fuzz_attach, |
90 | | fuzz_detach, |
91 | | fuzz_makekey, |
92 | | fuzz_triename, |
93 | | }; |
94 | | |
95 | | static uint8_t |
96 | 2.14M | random_byte(void) { |
97 | 2.14M | return (isc_random_uniform(SHIFT_OFFSET - SHIFT_NOBYTE) + SHIFT_NOBYTE); |
98 | 2.14M | } |
99 | | |
100 | | int |
101 | 2 | LLVMFuzzerInitialize(int *argc, char ***argv) { |
102 | 2 | UNUSED(argc); |
103 | 2 | UNUSED(argv); |
104 | | |
105 | 32.7k | for (size_t i = 0; i < ARRAY_SIZE(item); i++) { |
106 | 32.7k | size_t len = isc_random_uniform(100) + 16; |
107 | 32.7k | item[i].len = len; |
108 | 2.17M | for (size_t off = 0; off < len; off++) { |
109 | 2.14M | item[i].key[off] = random_byte(); |
110 | 2.14M | } |
111 | 32.7k | memmove(item[i].ascii, item[i].key, len); |
112 | 32.7k | qp_test_keytoascii(item[i].ascii, len); |
113 | 32.7k | } |
114 | | |
115 | 2 | return (0); |
116 | 2 | } |
117 | | |
118 | | int |
119 | 1.11k | LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
120 | 1.11k | isc_result_t result; |
121 | | |
122 | 1.11k | TRACE("------------------------------------------------"); |
123 | | |
124 | 1.11k | isc_mem_t *mctx = NULL; |
125 | 1.11k | isc_mem_create(&mctx); |
126 | 1.11k | isc_mem_setdestroycheck(mctx, true); |
127 | | |
128 | 1.11k | dns_qp_t *qp = NULL; |
129 | 1.11k | dns_qp_create(mctx, &fuzz_methods, NULL, &qp); |
130 | | |
131 | | /* avoid overrun */ |
132 | 1.11k | size = size & ~1; |
133 | | |
134 | 1.11k | size_t count = 0; |
135 | | |
136 | 22.0M | for (size_t in = 0; in < size; in += 2) { |
137 | 22.0M | size_t what = data[in] + data[in + 1] * 256; |
138 | 22.0M | size_t i = (what / 4) % (count * 2 + 2); |
139 | 22.0M | bool exists = item[i].exists; |
140 | 22.0M | uint32_t refcount = item[i].refcount; |
141 | 22.0M | bool ok = true; |
142 | 22.0M | if (what & 2) { |
143 | 1.27M | void *pval = NULL; |
144 | 1.27M | uint32_t ival = ~0U; |
145 | 1.27M | result = dns_qp_getkey(qp, item[i].key, item[i].len, |
146 | 1.27M | &pval, &ival); |
147 | 1.27M | TRACE("count %zu get %s %zu >%s<", count, |
148 | 1.27M | isc_result_toid(result), i, item[i].ascii); |
149 | 1.27M | if (result == ISC_R_SUCCESS) { |
150 | 987k | ASSERT(pval == &item[i]); |
151 | 987k | ASSERT(ival == i); |
152 | 987k | ASSERT(item[i].refcount == 1); |
153 | 987k | ASSERT(item[i].exists == true); |
154 | 987k | } else if (result == ISC_R_NOTFOUND) { |
155 | 288k | ASSERT(pval == NULL); |
156 | 288k | ASSERT(ival == ~0U); |
157 | 288k | ASSERT(item[i].refcount == 0); |
158 | 288k | ASSERT(item[i].exists == false); |
159 | 288k | } else { |
160 | 0 | UNREACHABLE(); |
161 | 0 | } |
162 | 20.7M | } else if (what & 1) { |
163 | 11.0M | result = dns_qp_insert(qp, &item[i], i); |
164 | 11.0M | TRACE("count %zu ins %s %zu >%s<", count, |
165 | 11.0M | isc_result_toid(result), i, item[i].ascii); |
166 | 11.0M | if (result == ISC_R_SUCCESS) { |
167 | 8.32M | item[i].exists = true; |
168 | 8.32M | ASSERT(exists == false); |
169 | 8.32M | ASSERT(refcount == 0); |
170 | 8.32M | ASSERT(item[i].refcount == 1); |
171 | 8.32M | count += 1; |
172 | 8.32M | ASSERT(qp->leaf_count == count); |
173 | 8.32M | } else if (result == ISC_R_EXISTS) { |
174 | 2.75M | ASSERT(exists == true); |
175 | 2.75M | ASSERT(refcount == 1); |
176 | 2.75M | ASSERT(item[i].refcount == 1); |
177 | 2.75M | ASSERT(qp->leaf_count == count); |
178 | 2.75M | } else { |
179 | 0 | UNREACHABLE(); |
180 | 0 | } |
181 | 11.0M | } else { |
182 | 9.71M | result = dns_qp_deletekey(qp, item[i].key, item[i].len); |
183 | 9.71M | TRACE("count %zu del %s %zu >%s<", count, |
184 | 9.71M | isc_result_toid(result), i, item[i].ascii); |
185 | 9.71M | if (result == ISC_R_SUCCESS) { |
186 | 7.21M | item[i].exists = false; |
187 | 7.21M | ASSERT(exists == true); |
188 | 7.21M | ASSERT(refcount == 1); |
189 | 7.21M | ASSERT(item[i].refcount == 0); |
190 | 7.21M | count -= 1; |
191 | 7.21M | ASSERT(qp->leaf_count == count); |
192 | 7.21M | } else if (result == ISC_R_NOTFOUND) { |
193 | 2.50M | ASSERT(exists == false); |
194 | 2.50M | ASSERT(refcount == 0); |
195 | 2.50M | ASSERT(item[i].refcount == 0); |
196 | 2.50M | ASSERT(qp->leaf_count == count); |
197 | 2.50M | } else { |
198 | 0 | UNREACHABLE(); |
199 | 0 | } |
200 | 9.71M | } |
201 | 22.0M | if (!ok) { |
202 | 0 | qp_test_dumpqp(qp); |
203 | 0 | qp_test_dumptrie(qp); |
204 | 0 | } |
205 | 22.0M | assert(ok); |
206 | 22.0M | } |
207 | | |
208 | 18.3M | for (size_t i = 0; i < ARRAY_SIZE(item); i++) { |
209 | 18.3M | assert(item[i].exists == (item[i].refcount != 0)); |
210 | 18.3M | } |
211 | | |
212 | 1.11k | dns_qp_destroy(&qp); |
213 | 1.11k | isc_mem_destroy(&mctx); |
214 | 1.11k | isc_mem_checkdestroyed(stderr); |
215 | | |
216 | 18.3M | for (size_t i = 0; i < ARRAY_SIZE(item); i++) { |
217 | 18.3M | item[i].exists = false; |
218 | 18.3M | assert(item[i].refcount == 0); |
219 | 18.3M | } |
220 | | |
221 | 1.11k | return (0); |
222 | 1.11k | } |