/src/zstd/tests/fuzz/fse_read_ncount.c

Source
/*
 * Copyright (c) Meta Platforms, Inc. and affiliates.
 * All rights reserved.
 *
 * This source code is licensed under both the BSD-style license (found in the
 * LICENSE file in the root directory of this source tree) and the GPLv2 (found
 * in the COPYING file in the root directory of this source tree).
 * You may select, at your option, one of the above-listed licenses.
 */

/**
 * This fuzz target round trips the FSE normalized count with FSE_writeNCount()
 * and FSE_readNcount() to ensure that it can always round trip correctly.
 */

#define FSE_STATIC_LINKING_ONLY
#define ZSTD_STATIC_LINKING_ONLY

#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include "fuzz_helpers.h"
#include "zstd_helpers.h"
#include "fuzz_data_producer.h"
#include "fse.h"

int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
{
    FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);

    /* Pick a random tableLog and maxSymbolValue */
    unsigned const tableLog = FUZZ_dataProducer_uint32Range(producer, FSE_MIN_TABLELOG, FSE_MAX_TABLELOG);
    unsigned const maxSymbolValue = FUZZ_dataProducer_uint32Range(producer, 0, 255);

    unsigned remainingWeight = (1u << tableLog) - 1;
    size_t dataSize;
    BYTE data[512];
    short ncount[256];

    /* Randomly fill the normalized count */
    memset(ncount, 0, sizeof(ncount));
    {
        unsigned s;
        for (s = 0; s < maxSymbolValue && remainingWeight > 0; ++s) {
            short n = (short)FUZZ_dataProducer_int32Range(producer, -1, remainingWeight);
            ncount[s] = n;
            if (n < 0) {
                remainingWeight -= 1;
            } else {
                assert((unsigned)n <= remainingWeight);
                remainingWeight -= n;
            }
        }
        /* Ensure ncount[maxSymbolValue] != 0 and the sum is (1<<tableLog) */
        ncount[maxSymbolValue] = remainingWeight + 1;
        if (ncount[maxSymbolValue] == 1 && FUZZ_dataProducer_uint32Range(producer, 0, 1) == 1) {
            ncount[maxSymbolValue] = -1;
        }
    }
    /* Write the normalized count */
    {
        FUZZ_ASSERT(sizeof(data) >= FSE_NCountWriteBound(maxSymbolValue, tableLog));
        dataSize = FSE_writeNCount(data, sizeof(data), ncount, maxSymbolValue, tableLog);
        FUZZ_ZASSERT(dataSize);
    }
    /* Read & validate the normalized count */
    {
        short rtNcount[256];
        unsigned rtMaxSymbolValue = 255;
        unsigned rtTableLog;
        /* Copy into a buffer with a random amount of random data at the end */
        size_t const buffSize = (size_t)FUZZ_dataProducer_uint32Range(producer, dataSize, sizeof(data));
        BYTE* const buff = FUZZ_malloc(buffSize);
        size_t rtDataSize;
        memcpy(buff, data, dataSize); 
        {
            size_t b;
            for (b = dataSize; b < buffSize; ++b) {
                buff[b] = (BYTE)FUZZ_dataProducer_uint32Range(producer, 0, 255);
            }
        }

        rtDataSize = FSE_readNCount(rtNcount, &rtMaxSymbolValue, &rtTableLog, buff, buffSize);
        FUZZ_ZASSERT(rtDataSize);
        FUZZ_ASSERT(rtDataSize == dataSize);
        FUZZ_ASSERT(rtMaxSymbolValue == maxSymbolValue);
        FUZZ_ASSERT(rtTableLog == tableLog);
        {
            unsigned s;
            for (s = 0; s <= maxSymbolValue; ++s) {
                FUZZ_ASSERT(ncount[s] == rtNcount[s]);
            }
        }
        free(buff);
    }

    FUZZ_dataProducer_free(producer);
    return 0;
}

Line	Count	Source
1		/*
2		* Copyright (c) Meta Platforms, Inc. and affiliates.
3		* All rights reserved.
4		*
5		* This source code is licensed under both the BSD-style license (found in the
6		* LICENSE file in the root directory of this source tree) and the GPLv2 (found
7		* in the COPYING file in the root directory of this source tree).
8		* You may select, at your option, one of the above-listed licenses.
9		*/
10
11		/**
12		* This fuzz target round trips the FSE normalized count with FSE_writeNCount()
13		* and FSE_readNcount() to ensure that it can always round trip correctly.
14		*/
15
16		#define FSE_STATIC_LINKING_ONLY
17		#define ZSTD_STATIC_LINKING_ONLY
18
19		#include <stddef.h>
20		#include <stdlib.h>
21		#include <stdio.h>
22		#include <string.h>
23		#include "fuzz_helpers.h"
24		#include "zstd_helpers.h"
25		#include "fuzz_data_producer.h"
26		#include "fse.h"
27
28		int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
29	215	{
30	215	FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
31
32		/* Pick a random tableLog and maxSymbolValue */
33	215	unsigned const tableLog = FUZZ_dataProducer_uint32Range(producer, FSE_MIN_TABLELOG, FSE_MAX_TABLELOG);
34	215	unsigned const maxSymbolValue = FUZZ_dataProducer_uint32Range(producer, 0, 255);
35
36	215	unsigned remainingWeight = (1u << tableLog) - 1;
37	215	size_t dataSize;
38	215	BYTE data[512];
39	215	short ncount[256];
40
41		/* Randomly fill the normalized count */
42	215	memset(ncount, 0, sizeof(ncount));
43	215	{
44	215	unsigned s;
45	12.4k	for (s = 0; s < maxSymbolValue && remainingWeight > 0; ++s) {
46	12.2k	short n = (short)FUZZ_dataProducer_int32Range(producer, -1, remainingWeight);
47	12.2k	ncount[s] = n;
48	12.2k	if (n < 0) {
49	8.90k	remainingWeight -= 1;
50	8.90k	} else {
51	3.30k	assert((unsigned)n <= remainingWeight);
52	3.30k	remainingWeight -= n;
53	3.30k	}
54	12.2k	}
55		/* Ensure ncount[maxSymbolValue] != 0 and the sum is (1<<tableLog) */
56	215	ncount[maxSymbolValue] = remainingWeight + 1;
57	215	if (ncount[maxSymbolValue] == 1 && FUZZ_dataProducer_uint32Range(producer, 0, 1) == 1) {
58	14	ncount[maxSymbolValue] = -1;
59	14	}
60	215	}
61		/* Write the normalized count */
62	215	{
63	215	FUZZ_ASSERT(sizeof(data) >= FSE_NCountWriteBound(maxSymbolValue, tableLog));
64	215	dataSize = FSE_writeNCount(data, sizeof(data), ncount, maxSymbolValue, tableLog);
65	215	FUZZ_ZASSERT(dataSize);
66	215	}
67		/* Read & validate the normalized count */
68	215	{
69	215	short rtNcount[256];
70	215	unsigned rtMaxSymbolValue = 255;
71	215	unsigned rtTableLog;
72		/* Copy into a buffer with a random amount of random data at the end */
73	215	size_t const buffSize = (size_t)FUZZ_dataProducer_uint32Range(producer, dataSize, sizeof(data));
74	215	BYTE* const buff = FUZZ_malloc(buffSize);
75	215	size_t rtDataSize;
76	215	memcpy(buff, data, dataSize);
77	215	{
78	215	size_t b;
79	9.39k	for (b = dataSize; b < buffSize; ++b) {
80	9.18k	buff[b] = (BYTE)FUZZ_dataProducer_uint32Range(producer, 0, 255);
81	9.18k	}
82	215	}
83
84	215	rtDataSize = FSE_readNCount(rtNcount, &rtMaxSymbolValue, &rtTableLog, buff, buffSize);
85	215	FUZZ_ZASSERT(rtDataSize);
86	215	FUZZ_ASSERT(rtDataSize == dataSize);
87	215	FUZZ_ASSERT(rtMaxSymbolValue == maxSymbolValue);
88	215	FUZZ_ASSERT(rtTableLog == tableLog);
89	215	{
90	215	unsigned s;
91	22.0k	for (s = 0; s <= maxSymbolValue; ++s) {
92	21.8k	FUZZ_ASSERT(ncount[s] == rtNcount[s]);
93	21.8k	}
94	215	}
95	215	free(buff);
96	215	}
97
98	0	FUZZ_dataProducer_free(producer);
99	215	return 0;
100	215	}

Coverage Report

Created: 2025-10-10 07:01