/src/bind9/fuzz/dns_qp.c

Source
/*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */

#include <assert.h>
#include <err.h>
#include <stdbool.h>
#include <stdint.h>

#include <isc/random.h>
#include <isc/refcount.h>
#include <isc/rwlock.h>
#include <isc/urcu.h>
#include <isc/util.h>

#include <dns/qp.h>
#include <dns/types.h>

#include "fuzz.h"
#include "qp_p.h"

#include <tests/qp.h>

bool debug = false;

#if 0
#define TRACE(...) warnx(__VA_ARGS__)
#else
#define TRACE(...)
#endif

#if 0
#define ASSERT(p)                                               \
  do {                                                    \
    warnx("%s:%d: %s (%s)", __func__, __LINE__, #p, \
          (p) ? "OK" : "FAIL");                     \
    ok = ok && (p);                                 \
  } while (0)
#else
#define ASSERT(p) assert(p)
#endif

static struct {
  uint32_t refcount;
  bool exists;
  uint8_t len;
  dns_qpkey_t key;
  dns_qpkey_t ascii;
} item[256 * 256 / 4];

static void
fuzz_attach(void *ctx, void *pval, uint32_t ival) {
  assert(ctx == NULL);
  assert(pval == &item[ival]);
  item[ival].refcount++;
}

static void
fuzz_detach(void *ctx, void *pval, uint32_t ival) {
  assert(ctx == NULL);
  assert(pval == &item[ival]);
  item[ival].refcount--;
}

static size_t
fuzz_makekey(dns_qpkey_t key, void *ctx, void *pval, uint32_t ival) {
  assert(ctx == NULL);
  assert(pval == &item[ival]);
  memmove(key, item[ival].key, item[ival].len);
  return item[ival].len;
}

static void
fuzz_triename(void *ctx, char *buf, size_t size) {
  assert(ctx == NULL);
  strlcpy(buf, "fuzz", size);
}

const dns_qpmethods_t fuzz_methods = {
  fuzz_attach,
  fuzz_detach,
  fuzz_makekey,
  fuzz_triename,
};

static uint8_t
random_byte(void) {
  return isc_random_uniform(SHIFT_OFFSET - SHIFT_NOBYTE) + SHIFT_NOBYTE;
}

int
LLVMFuzzerInitialize(int *argc, char ***argv) {
  UNUSED(argc);
  UNUSED(argv);

  for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
    size_t len = isc_random_uniform(100) + 16;
    item[i].len = len + 1;
    item[i].key[0] = 0;
    for (size_t off = 1; off < len; off++) {
      item[i].key[off] = random_byte();
    }
    memmove(item[i].ascii, item[i].key, item[i].len);
    qp_test_keytoascii(item[i].ascii, item[i].len);
  }

  return 0;
}

int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  isc_result_t result;

  TRACE("------------------------------------------------");

  isc_mem_t *mctx = NULL;
  isc_mem_create("fuzz", &mctx);
  isc_mem_setdestroycheck(mctx, true);

  dns_qp_t *qp = NULL;
  dns_qp_create(mctx, &fuzz_methods, NULL, &qp);

  /* avoid overrun */
  size = size & ~1;

  size_t count = 0;

  for (size_t in = 0; in < size; in += 2) {
    size_t what = data[in] + data[in + 1] * 256;
    size_t i = (what / 4) % (count * 2 + 2);
    bool exists = item[i].exists;
    uint32_t refcount = item[i].refcount;
    bool ok = true;
    if (what & 2) {
      void *pval = NULL;
      uint32_t ival = ~0U;
      result = dns_qp_getkey(qp, item[i].key, item[i].len,
                 &pval, &ival);
      TRACE("count %zu get %s %zu >%s<", count,
            isc_result_toid(result), i, item[i].ascii);
      if (result == ISC_R_SUCCESS) {
        ASSERT(pval == &item[i]);
        ASSERT(ival == i);
        ASSERT(item[i].refcount == 1);
        ASSERT(item[i].exists == true);
      } else if (result == ISC_R_NOTFOUND) {
        ASSERT(pval == NULL);
        ASSERT(ival == ~0U);
        ASSERT(item[i].refcount == 0);
        ASSERT(item[i].exists == false);
      } else {
        UNREACHABLE();
      }
    } else if (what & 1) {
      result = dns_qp_insert(qp, &item[i], i);
      TRACE("count %zu ins %s %zu >%s<", count,
            isc_result_toid(result), i, item[i].ascii);
      if (result == ISC_R_SUCCESS) {
        item[i].exists = true;
        ASSERT(exists == false);
        ASSERT(refcount == 0);
        ASSERT(item[i].refcount == 1);
        count += 1;
        ASSERT(qp->leaf_count == count);
      } else if (result == ISC_R_EXISTS) {
        ASSERT(exists == true);
        ASSERT(refcount == 1);
        ASSERT(item[i].refcount == 1);
        ASSERT(qp->leaf_count == count);
      } else {
        UNREACHABLE();
      }
    } else {
      result = dns_qp_deletekey(qp, item[i].key, item[i].len,
              NULL, NULL);
      TRACE("count %zu del %s %zu >%s<", count,
            isc_result_toid(result), i, item[i].ascii);
      if (result == ISC_R_SUCCESS) {
        item[i].exists = false;
        ASSERT(exists == true);
        ASSERT(refcount == 1);
        ASSERT(item[i].refcount == 0);
        count -= 1;
        ASSERT(qp->leaf_count == count);
      } else if (result == ISC_R_NOTFOUND) {
        ASSERT(exists == false);
        ASSERT(refcount == 0);
        ASSERT(item[i].refcount == 0);
        ASSERT(qp->leaf_count == count);
      } else {
        UNREACHABLE();
      }
    }
    if (!ok) {
      qp_test_dumpqp(qp);
      qp_test_dumptrie(qp);
    }
    assert(ok);
  }

  for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
    assert(item[i].exists == (item[i].refcount != 0));
  }

  dns_qp_destroy(&qp);
  isc_mem_detach(&mctx);
  isc_mem_checkdestroyed(stderr);

  for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
    item[i].exists = false;
    assert(item[i].refcount == 0);
  }

  return 0;
}

Coverage Report

Created: 2026-01-17 06:14

Line	Count	Source
1		/*
2		* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3		*
4		* SPDX-License-Identifier: MPL-2.0
5		*
6		* This Source Code Form is subject to the terms of the Mozilla Public
7		* License, v. 2.0. If a copy of the MPL was not distributed with this
8		* file, you can obtain one at https://mozilla.org/MPL/2.0/.
9		*
10		* See the COPYRIGHT file distributed with this work for additional
11		* information regarding copyright ownership.
12		*/
13
14		#include <assert.h>
15		#include <err.h>
16		#include <stdbool.h>
17		#include <stdint.h>
18
19		#include <isc/random.h>
20		#include <isc/refcount.h>
21		#include <isc/rwlock.h>
22		#include <isc/urcu.h>
23		#include <isc/util.h>
24
25		#include <dns/qp.h>
26		#include <dns/types.h>
27
28		#include "fuzz.h"
29		#include "qp_p.h"
30
31		#include <tests/qp.h>
32
33		bool debug = false;
34
35		#if 0
36		#define TRACE(...) warnx(__VA_ARGS__)
37		#else
38		#define TRACE(...)
39		#endif
40
41		#if 0
42		#define ASSERT(p) \
43		do { \
44		warnx("%s:%d: %s (%s)", __func__, __LINE__, #p, \
45		(p) ? "OK" : "FAIL"); \
46		ok = ok && (p); \
47		} while (0)
48		#else
49	16.1M	#define ASSERT(p) assert(p)
50		#endif
51
52		static struct {
53		uint32_t refcount;
54		bool exists;
55		uint8_t len;
56		dns_qpkey_t key;
57		dns_qpkey_t ascii;
58		} item[256 * 256 / 4];
59
60		static void
61	708k	fuzz_attach(void ctx, void pval, uint32_t ival) {
62	708k	assert(ctx == NULL);
63	708k	assert(pval == &item[ival]);
64	708k	item[ival].refcount++;
65	708k	}
66
67		static void
68	708k	fuzz_detach(void ctx, void pval, uint32_t ival) {
69	708k	assert(ctx == NULL);
70	708k	assert(pval == &item[ival]);
71	708k	item[ival].refcount--;
72	708k	}
73
74		static size_t
75	1.77M	fuzz_makekey(dns_qpkey_t key, void ctx, void pval, uint32_t ival) {
76	1.77M	assert(ctx == NULL);
77	1.77M	assert(pval == &item[ival]);
78	1.77M	memmove(key, item[ival].key, item[ival].len);
79	1.77M	return item[ival].len;
80	1.77M	}
81
82		static void
83	0	fuzz_triename(void ctx, char buf, size_t size) {
84	0	assert(ctx == NULL);
85	0	strlcpy(buf, "fuzz", size);
86	0	}
87
88		const dns_qpmethods_t fuzz_methods = {
89		fuzz_attach,
90		fuzz_detach,
91		fuzz_makekey,
92		fuzz_triename,
93		};
94
95		static uint8_t
96	491k	random_byte(void) {
97	491k	return isc_random_uniform(SHIFT_OFFSET - SHIFT_NOBYTE) + SHIFT_NOBYTE;
98	491k	}
99
100		int
101	2	LLVMFuzzerInitialize(int argc, char **argv) {
102	2	UNUSED(argc);
103	2	UNUSED(argv);
104
105	32.7k	for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
106	32.7k	size_t len = isc_random_uniform(100) + 16;
107	32.7k	item[i].len = len + 1;
108	32.7k	item[i].key[0] = 0;
109	524k	for (size_t off = 1; off < len; off++) {
110	491k	item[i].key[off] = random_byte();
111	491k	}
112	32.7k	memmove(item[i].ascii, item[i].key, item[i].len);
113	32.7k	qp_test_keytoascii(item[i].ascii, item[i].len);
114	32.7k	}
115
116	2	return 0;
117	2	}
118
119		int
120	143	LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
121	143	isc_result_t result;
122
123	143	TRACE("------------------------------------------------");
124
125	143	isc_mem_t *mctx = NULL;
126	143	isc_mem_create("fuzz", &mctx);
127	143	isc_mem_setdestroycheck(mctx, true);
128
129	143	dns_qp_t *qp = NULL;
130	143	dns_qp_create(mctx, &fuzz_methods, NULL, &qp);
131
132		/* avoid overrun */
133	143	size = size & ~1;
134
135	143	size_t count = 0;
136
137	4.04M	for (size_t in = 0; in < size; in += 2) {
138	4.04M	size_t what = data[in] + data[in + 1] * 256;
139	4.04M	size_t i = (what / 4) % (count * 2 + 2);
140	4.04M	bool exists = item[i].exists;
141	4.04M	uint32_t refcount = item[i].refcount;
142	4.04M	bool ok = true;
143	4.04M	if (what & 2) {
144	1.33M	void *pval = NULL;
145	1.33M	uint32_t ival = ~0U;
146	1.33M	result = dns_qp_getkey(qp, item[i].key, item[i].len,
147	1.33M	&pval, &ival);
148	1.33M	TRACE("count %zu get %s %zu >%s<", count,
149	1.33M	isc_result_toid(result), i, item[i].ascii);
150	1.33M	if (result == ISC_R_SUCCESS) {
151	69.1k	ASSERT(pval == &item[i]);
152	69.1k	ASSERT(ival == i);
153	69.1k	ASSERT(item[i].refcount == 1);
154	69.1k	ASSERT(item[i].exists == true);
155	1.26M	} else if (result == ISC_R_NOTFOUND) {
156	1.26M	ASSERT(pval == NULL);
157	1.26M	ASSERT(ival == ~0U);
158	1.26M	ASSERT(item[i].refcount == 0);
159	1.26M	ASSERT(item[i].exists == false);
160	1.26M	} else {
161	0	UNREACHABLE();
162	0	}
163	2.70M	} else if (what & 1) {
164	852k	result = dns_qp_insert(qp, &item[i], i);
165	852k	TRACE("count %zu ins %s %zu >%s<", count,
166	852k	isc_result_toid(result), i, item[i].ascii);
167	852k	if (result == ISC_R_SUCCESS) {
168	708k	item[i].exists = true;
169	708k	ASSERT(exists == false);
170	708k	ASSERT(refcount == 0);
171	708k	ASSERT(item[i].refcount == 1);
172	708k	count += 1;
173	708k	ASSERT(qp->leaf_count == count);
174	708k	} else if (result == ISC_R_EXISTS) {
175	144k	ASSERT(exists == true);
176	144k	ASSERT(refcount == 1);
177	144k	ASSERT(item[i].refcount == 1);
178	144k	ASSERT(qp->leaf_count == count);
179	144k	} else {
180	0	UNREACHABLE();
181	0	}
182	1.85M	} else {
183	1.85M	result = dns_qp_deletekey(qp, item[i].key, item[i].len,
184	1.85M	NULL, NULL);
185	1.85M	TRACE("count %zu del %s %zu >%s<", count,
186	1.85M	isc_result_toid(result), i, item[i].ascii);
187	1.85M	if (result == ISC_R_SUCCESS) {
188	708k	item[i].exists = false;
189	708k	ASSERT(exists == true);
190	708k	ASSERT(refcount == 1);
191	708k	ASSERT(item[i].refcount == 0);
192	708k	count -= 1;
193	708k	ASSERT(qp->leaf_count == count);
194	1.14M	} else if (result == ISC_R_NOTFOUND) {
195	1.14M	ASSERT(exists == false);
196	1.14M	ASSERT(refcount == 0);
197	1.14M	ASSERT(item[i].refcount == 0);
198	1.14M	ASSERT(qp->leaf_count == count);
199	1.14M	} else {
200	0	UNREACHABLE();
201	0	}
202	1.85M	}
203	4.04M	if (!ok) {
204	0	qp_test_dumpqp(qp);
205	0	qp_test_dumptrie(qp);
206	0	}
207	4.04M	assert(ok);
208	4.04M	}
209
210	2.34M	for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
211	2.34M	assert(item[i].exists == (item[i].refcount != 0));
212	2.34M	}
213
214	143	dns_qp_destroy(&qp);
215	143	isc_mem_detach(&mctx);
216	143	isc_mem_checkdestroyed(stderr);
217
218	2.34M	for (size_t i = 0; i < ARRAY_SIZE(item); i++) {
219	2.34M	item[i].exists = false;
220	2.34M	assert(item[i].refcount == 0);
221	2.34M	}
222
223	143	return 0;
224	143	}