/src/bind9/fuzz/dns_qp.c

Source (jump to first uncovered line)
/*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */

#include <assert.h>
#include <err.h>
#include <stdbool.h>
#include <stdint.h>

#include <isc/random.h>
#include <isc/refcount.h>
#include <isc/rwlock.h>
#include <isc/urcu.h>
#include <isc/util.h>

#include <dns/qp.h>
#include <dns/types.h>

#include "fuzz.h"
#include "qp_p.h"

#include <tests/qp.h>

bool debug = false;

#if 0
#define TRACE(...) warnx(__VA_ARGS__)
#else
#define TRACE(...)
#endif

#if 0
#define ASSERT(p)                                               \
  do {                                                    \
    warnx("%s:%d: %s (%s)", __func__, __LINE__, #p, \
          (p) ? "OK" : "FAIL");                     \
    ok = ok && (p);                                 \
  } while (0)
#else
#define ASSERT(p) assert(p)
#endif

static struct {
  uint32_t refcount;
  bool exists;
  uint8_t len;
  dns_qpkey_t key;
  dns_qpkey_t ascii;
} item[256 * 256 / 4];

static void
fuzz_attach(void *ctx, void *pval, uint32_t ival) {
  assert(ctx == NULL);
  assert(pval == &item[ival]);
  item[ival].refcount++;
}

static void
fuzz_detach(void *ctx, void *pval, uint32_t ival) {
  assert(ctx == NULL);
  assert(pval == &item[ival]);
  item[ival].refcount--;
}

static size_t
fuzz_makekey(dns_qpkey_t key, void *ctx, void *pval, uint32_t ival) {
  assert(ctx == NULL);
  assert(pval == &item[ival]);
  memmove(key, item[ival].key, item[ival].len);
  return (item[ival].len);
}

static void
fuzz_triename(void *ctx, char *buf, size_t size) {
  assert(ctx == NULL);
  strlcpy(buf, "fuzz", size);
}

const dns_qpmethods_t fuzz_methods = {
  fuzz_attach,
  fuzz_detach,
  fuzz_makekey,
  fuzz_triename,
};

static uint8_t
random_byte(void) {
  return (isc_random_uniform(SHIFT_OFFSET - SHIFT_NOBYTE) + SHIFT_NOBYTE);
}

int
LLVMFuzzerInitialize(int *argc, char ***argv) {
  UNUSED(argc);
  UNUSED(argv);

  for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
    size_t len = isc_random_uniform(100) + 16;
    item[i].len = len;
    for (size_t off = 0; off < len; off++) {
      item[i].key[off] = random_byte();
    }
    memmove(item[i].ascii, item[i].key, len);
    qp_test_keytoascii(item[i].ascii, len);
  }

  return (0);
}

int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  isc_result_t result;

  TRACE("------------------------------------------------");

  isc_mem_t *mctx = NULL;
  isc_mem_create(&mctx);
  isc_mem_setdestroycheck(mctx, true);

  dns_qp_t *qp = NULL;
  dns_qp_create(mctx, &fuzz_methods, NULL, &qp);

  /* avoid overrun */
  size = size & ~1;

  size_t count = 0;

  for (size_t in = 0; in < size; in += 2) {
    size_t what = data[in] + data[in + 1] * 256;
    size_t i = (what / 4) % (count * 2 + 2);
    bool exists = item[i].exists;
    uint32_t refcount = item[i].refcount;
    bool ok = true;
    if (what & 2) {
      void *pval = NULL;
      uint32_t ival = ~0U;
      result = dns_qp_getkey(qp, item[i].key, item[i].len,
                 &pval, &ival);
      TRACE("count %zu get %s %zu >%s<", count,
            isc_result_toid(result), i, item[i].ascii);
      if (result == ISC_R_SUCCESS) {
        ASSERT(pval == &item[i]);
        ASSERT(ival == i);
        ASSERT(item[i].refcount == 1);
        ASSERT(item[i].exists == true);
      } else if (result == ISC_R_NOTFOUND) {
        ASSERT(pval == NULL);
        ASSERT(ival == ~0U);
        ASSERT(item[i].refcount == 0);
        ASSERT(item[i].exists == false);
      } else {
        UNREACHABLE();
      }
    } else if (what & 1) {
      result = dns_qp_insert(qp, &item[i], i);
      TRACE("count %zu ins %s %zu >%s<", count,
            isc_result_toid(result), i, item[i].ascii);
      if (result == ISC_R_SUCCESS) {
        item[i].exists = true;
        ASSERT(exists == false);
        ASSERT(refcount == 0);
        ASSERT(item[i].refcount == 1);
        count += 1;
        ASSERT(qp->leaf_count == count);
      } else if (result == ISC_R_EXISTS) {
        ASSERT(exists == true);
        ASSERT(refcount == 1);
        ASSERT(item[i].refcount == 1);
        ASSERT(qp->leaf_count == count);
      } else {
        UNREACHABLE();
      }
    } else {
      result = dns_qp_deletekey(qp, item[i].key, item[i].len);
      TRACE("count %zu del %s %zu >%s<", count,
            isc_result_toid(result), i, item[i].ascii);
      if (result == ISC_R_SUCCESS) {
        item[i].exists = false;
        ASSERT(exists == true);
        ASSERT(refcount == 1);
        ASSERT(item[i].refcount == 0);
        count -= 1;
        ASSERT(qp->leaf_count == count);
      } else if (result == ISC_R_NOTFOUND) {
        ASSERT(exists == false);
        ASSERT(refcount == 0);
        ASSERT(item[i].refcount == 0);
        ASSERT(qp->leaf_count == count);
      } else {
        UNREACHABLE();
      }
    }
    if (!ok) {
      qp_test_dumpqp(qp);
      qp_test_dumptrie(qp);
    }
    assert(ok);
  }

  for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
    assert(item[i].exists == (item[i].refcount != 0));
  }

  dns_qp_destroy(&qp);
  isc_mem_destroy(&mctx);
  isc_mem_checkdestroyed(stderr);

  for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
    item[i].exists = false;
    assert(item[i].refcount == 0);
  }

  return (0);
}

Coverage Report

Created: 2023-06-07 06:23

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3		*
4		* SPDX-License-Identifier: MPL-2.0
5		*
6		* This Source Code Form is subject to the terms of the Mozilla Public
7		* License, v. 2.0. If a copy of the MPL was not distributed with this
8		* file, you can obtain one at https://mozilla.org/MPL/2.0/.
9		*
10		* See the COPYRIGHT file distributed with this work for additional
11		* information regarding copyright ownership.
12		*/
13
14		#include <assert.h>
15		#include <err.h>
16		#include <stdbool.h>
17		#include <stdint.h>
18
19		#include <isc/random.h>
20		#include <isc/refcount.h>
21		#include <isc/rwlock.h>
22		#include <isc/urcu.h>
23		#include <isc/util.h>
24
25		#include <dns/qp.h>
26		#include <dns/types.h>
27
28		#include "fuzz.h"
29		#include "qp_p.h"
30
31		#include <tests/qp.h>
32
33		bool debug = false;
34
35		#if 0
36		#define TRACE(...) warnx(__VA_ARGS__)
37		#else
38		#define TRACE(...)
39		#endif
40
41		#if 0
42		#define ASSERT(p) \
43		do { \
44		warnx("%s:%d: %s (%s)", __func__, __LINE__, #p, \
45		(p) ? "OK" : "FAIL"); \
46		ok = ok && (p); \
47		} while (0)
48		#else
49	88.2M	#define ASSERT(p) assert(p)
50		#endif
51
52		static struct {
53		uint32_t refcount;
54		bool exists;
55		uint8_t len;
56		dns_qpkey_t key;
57		dns_qpkey_t ascii;
58		} item[256 * 256 / 4];
59
60		static void
61	8.32M	fuzz_attach(void ctx, void pval, uint32_t ival) {
62	8.32M	assert(ctx == NULL);
63	8.32M	assert(pval == &item[ival]);
64	8.32M	item[ival].refcount++;
65	8.32M	}
66
67		static void
68	8.32M	fuzz_detach(void ctx, void pval, uint32_t ival) {
69	8.32M	assert(ctx == NULL);
70	8.32M	assert(pval == &item[ival]);
71	8.32M	item[ival].refcount--;
72	8.32M	}
73
74		static size_t
75	23.9M	fuzz_makekey(dns_qpkey_t key, void ctx, void pval, uint32_t ival) {
76	23.9M	assert(ctx == NULL);
77	23.9M	assert(pval == &item[ival]);
78	23.9M	memmove(key, item[ival].key, item[ival].len);
79	23.9M	return (item[ival].len);
80	23.9M	}
81
82		static void
83	0	fuzz_triename(void ctx, char buf, size_t size) {
84	0	assert(ctx == NULL);
85	0	strlcpy(buf, "fuzz", size);
86	0	}
87
88		const dns_qpmethods_t fuzz_methods = {
89		fuzz_attach,
90		fuzz_detach,
91		fuzz_makekey,
92		fuzz_triename,
93		};
94
95		static uint8_t
96	2.14M	random_byte(void) {
97	2.14M	return (isc_random_uniform(SHIFT_OFFSET - SHIFT_NOBYTE) + SHIFT_NOBYTE);
98	2.14M	}
99
100		int
101	2	LLVMFuzzerInitialize(int argc, char **argv) {
102	2	UNUSED(argc);
103	2	UNUSED(argv);
104
105	32.7k	for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
106	32.7k	size_t len = isc_random_uniform(100) + 16;
107	32.7k	item[i].len = len;
108	2.17M	for (size_t off = 0; off < len; off++) {
109	2.14M	item[i].key[off] = random_byte();
110	2.14M	}
111	32.7k	memmove(item[i].ascii, item[i].key, len);
112	32.7k	qp_test_keytoascii(item[i].ascii, len);
113	32.7k	}
114
115	2	return (0);
116	2	}
117
118		int
119	1.11k	LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
120	1.11k	isc_result_t result;
121
122	1.11k	TRACE("------------------------------------------------");
123
124	1.11k	isc_mem_t *mctx = NULL;
125	1.11k	isc_mem_create(&mctx);
126	1.11k	isc_mem_setdestroycheck(mctx, true);
127
128	1.11k	dns_qp_t *qp = NULL;
129	1.11k	dns_qp_create(mctx, &fuzz_methods, NULL, &qp);
130
131		/* avoid overrun */
132	1.11k	size = size & ~1;
133
134	1.11k	size_t count = 0;
135
136	22.0M	for (size_t in = 0; in < size; in += 2) {
137	22.0M	size_t what = data[in] + data[in + 1] * 256;
138	22.0M	size_t i = (what / 4) % (count * 2 + 2);
139	22.0M	bool exists = item[i].exists;
140	22.0M	uint32_t refcount = item[i].refcount;
141	22.0M	bool ok = true;
142	22.0M	if (what & 2) {
143	1.27M	void *pval = NULL;
144	1.27M	uint32_t ival = ~0U;
145	1.27M	result = dns_qp_getkey(qp, item[i].key, item[i].len,
146	1.27M	&pval, &ival);
147	1.27M	TRACE("count %zu get %s %zu >%s<", count,
148	1.27M	isc_result_toid(result), i, item[i].ascii);
149	1.27M	if (result == ISC_R_SUCCESS) {
150	987k	ASSERT(pval == &item[i]);
151	987k	ASSERT(ival == i);
152	987k	ASSERT(item[i].refcount == 1);
153	987k	ASSERT(item[i].exists == true);
154	987k	} else if (result == ISC_R_NOTFOUND) {
155	288k	ASSERT(pval == NULL);
156	288k	ASSERT(ival == ~0U);
157	288k	ASSERT(item[i].refcount == 0);
158	288k	ASSERT(item[i].exists == false);
159	288k	} else {
160	0	UNREACHABLE();
161	0	}
162	20.7M	} else if (what & 1) {
163	11.0M	result = dns_qp_insert(qp, &item[i], i);
164	11.0M	TRACE("count %zu ins %s %zu >%s<", count,
165	11.0M	isc_result_toid(result), i, item[i].ascii);
166	11.0M	if (result == ISC_R_SUCCESS) {
167	8.32M	item[i].exists = true;
168	8.32M	ASSERT(exists == false);
169	8.32M	ASSERT(refcount == 0);
170	8.32M	ASSERT(item[i].refcount == 1);
171	8.32M	count += 1;
172	8.32M	ASSERT(qp->leaf_count == count);
173	8.32M	} else if (result == ISC_R_EXISTS) {
174	2.75M	ASSERT(exists == true);
175	2.75M	ASSERT(refcount == 1);
176	2.75M	ASSERT(item[i].refcount == 1);
177	2.75M	ASSERT(qp->leaf_count == count);
178	2.75M	} else {
179	0	UNREACHABLE();
180	0	}
181	11.0M	} else {
182	9.71M	result = dns_qp_deletekey(qp, item[i].key, item[i].len);
183	9.71M	TRACE("count %zu del %s %zu >%s<", count,
184	9.71M	isc_result_toid(result), i, item[i].ascii);
185	9.71M	if (result == ISC_R_SUCCESS) {
186	7.21M	item[i].exists = false;
187	7.21M	ASSERT(exists == true);
188	7.21M	ASSERT(refcount == 1);
189	7.21M	ASSERT(item[i].refcount == 0);
190	7.21M	count -= 1;
191	7.21M	ASSERT(qp->leaf_count == count);
192	7.21M	} else if (result == ISC_R_NOTFOUND) {
193	2.50M	ASSERT(exists == false);
194	2.50M	ASSERT(refcount == 0);
195	2.50M	ASSERT(item[i].refcount == 0);
196	2.50M	ASSERT(qp->leaf_count == count);
197	2.50M	} else {
198	0	UNREACHABLE();
199	0	}
200	9.71M	}
201	22.0M	if (!ok) {
202	0	qp_test_dumpqp(qp);
203	0	qp_test_dumptrie(qp);
204	0	}
205	22.0M	assert(ok);
206	22.0M	}
207
208	18.3M	for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
209	18.3M	assert(item[i].exists == (item[i].refcount != 0));
210	18.3M	}
211
212	1.11k	dns_qp_destroy(&qp);
213	1.11k	isc_mem_destroy(&mctx);
214	1.11k	isc_mem_checkdestroyed(stderr);
215
216	18.3M	for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
217	18.3M	item[i].exists = false;
218	18.3M	assert(item[i].refcount == 0);
219	18.3M	}
220
221	1.11k	return (0);
222	1.11k	}