/src/fuzz_ruby_parser.cpp

Source
/* Copyright 2025 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

/*
 * Fuzzer for Ruby's parser (ruby_parser.c)
 * Tests parsing of Ruby source code with malformed/random input
 * to find bugs in the Ruby parser implementation.
 */

#include <stdint.h>
#include <stdlib.h>
#include <string>
#include <fuzzer/FuzzedDataProvider.h>
#include "ruby.h"
#include "ruby/ruby.h"
#include "ruby/encoding.h"

/* Forward declarations for parser functions */
extern "C" {
extern VALUE rb_parser_new(void);
extern VALUE rb_parser_compile_string(VALUE vparser, const char *f, VALUE s, int line);
extern VALUE ruby_verbose;
}

/* Silence stderr output during fuzzing */
static VALUE
silenced_parse(VALUE parser_str_pair)
{
    VALUE *args = (VALUE *)parser_str_pair;
    VALUE parser = args[0];
    VALUE code_str = args[1];
    
    /* Compile the string - this will parse it */
    return rb_parser_compile_string(parser, "(fuzz)", code_str, 1);
}

extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
    static int initialized = 0;
    int state;
    
    if (!initialized) {
        ruby_init();
        ruby_init_loadpath();
        initialized = 1;
        
        // Suppress Ruby warnings to avoid log noise
        ruby_verbose = Qfalse;
    }
    
    if (size == 0) {
        return 0;
    }
    
    // Limit input size to avoid pathologically slow parsing
    // Ruby parser can be exponentially slow with deeply nested
    // structures resulting in timeouts.
    if (size > 50000) {
        return 0;
    }
    // Use FuzzedDataProvider for structured data consumption
    FuzzedDataProvider fdp(data, size);
    
    /* Create a Ruby string from the fuzz input */
    std::string code_data = fdp.ConsumeRemainingBytesAsString();
    VALUE code_str = rb_str_new(code_data.data(), code_data.size());
    
    /* Create a new parser instance */
    VALUE parser = rb_parser_new();
    if (NIL_P(parser)) {
        return 0;
    }
    
    /* Prepare arguments for protected call */
    VALUE args[2];
    args[0] = parser;
    args[1] = code_str;
    
    /* Parse the code with exception protection */
    rb_protect(silenced_parse, (VALUE)args, &state);
    
    /* If an exception occurred, clear it and continue */
    if (state) {
        rb_set_errinfo(Qnil);
    }
    
    /* Force GC to clean up */
    rb_gc_start();
    
    return 0;
}

Line	Count	Source
1		/* Copyright 2025 Google LLC
2		Licensed under the Apache License, Version 2.0 (the "License");
3		you may not use this file except in compliance with the License.
4		You may obtain a copy of the License at
5		http://www.apache.org/licenses/LICENSE-2.0
6		Unless required by applicable law or agreed to in writing, software
7		distributed under the License is distributed on an "AS IS" BASIS,
8		WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9		See the License for the specific language governing permissions and
10		limitations under the License.
11		*/
12
13		/*
14		* Fuzzer for Ruby's parser (ruby_parser.c)
15		* Tests parsing of Ruby source code with malformed/random input
16		* to find bugs in the Ruby parser implementation.
17		*/
18
19		#include <stdint.h>
20		#include <stdlib.h>
21		#include <string>
22		#include <fuzzer/FuzzedDataProvider.h>
23		#include "ruby.h"
24		#include "ruby/ruby.h"
25		#include "ruby/encoding.h"
26
27		/* Forward declarations for parser functions */
28		extern "C" {
29		extern VALUE rb_parser_new(void);
30		extern VALUE rb_parser_compile_string(VALUE vparser, const char *f, VALUE s, int line);
31		extern VALUE ruby_verbose;
32		}
33
34		/* Silence stderr output during fuzzing */
35		static VALUE
36		silenced_parse(VALUE parser_str_pair)
37	16.8k	{
38	16.8k	VALUE args = (VALUE )parser_str_pair;
39	16.8k	VALUE parser = args[0];
40	16.8k	VALUE code_str = args[1];
41
42		/* Compile the string - this will parse it */
43	16.8k	return rb_parser_compile_string(parser, "(fuzz)", code_str, 1);
44	16.8k	}
45
46		extern "C" int
47		LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
48	16.8k	{
49	16.8k	static int initialized = 0;
50	16.8k	int state;
51
52	16.8k	if (!initialized) {
53	1	ruby_init();
54	1	ruby_init_loadpath();
55	1	initialized = 1;
56
57		// Suppress Ruby warnings to avoid log noise
58	1	ruby_verbose = Qfalse;
59	1	}
60
61	16.8k	if (size == 0) {
62	0	return 0;
63	0	}
64
65		// Limit input size to avoid pathologically slow parsing
66		// Ruby parser can be exponentially slow with deeply nested
67		// structures resulting in timeouts.
68	16.8k	if (size > 50000) {
69	6	return 0;
70	6	}
71		// Use FuzzedDataProvider for structured data consumption
72	16.8k	FuzzedDataProvider fdp(data, size);
73
74		/* Create a Ruby string from the fuzz input */
75	16.8k	std::string code_data = fdp.ConsumeRemainingBytesAsString();
76	16.8k	VALUE code_str = rb_str_new(code_data.data(), code_data.size());
77
78		/* Create a new parser instance */
79	16.8k	VALUE parser = rb_parser_new();
80	16.8k	if (NIL_P(parser)) {
81	0	return 0;
82	0	}
83
84		/* Prepare arguments for protected call */
85	16.8k	VALUE args[2];
86	16.8k	args[0] = parser;
87	16.8k	args[1] = code_str;
88
89		/* Parse the code with exception protection */
90	16.8k	rb_protect(silenced_parse, (VALUE)args, &state);
91
92		/* If an exception occurred, clear it and continue */
93	16.8k	if (state) {
94	398	rb_set_errinfo(Qnil);
95	398	}
96
97		/* Force GC to clean up */
98	16.8k	rb_gc_start();
99
100	16.8k	return 0;
101	16.8k	}

Coverage Report

Created: 2026-03-31 07:30