AuroraMiddleware/zstd
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
bc5fe33243
zstd/tests/fuzz/simple_round_trip.c

115 lines
4.0 KiB
C
Raw Normal View History

fixed more file headers after license change (#825)
2017-08-31 19:11:57 +00:00
/*
Fix copyright and license lines * All copyright lines now have -2020 instead of -present * All copyright lines include "Facebook, Inc" * All licenses are now standardized The copyright in `threading.{h,c}` is not changed because it comes from zstdmt. The copyright and license of `divsufsort.{h,c}` is not changed.
2020-03-26 22:19:05 +00:00
* Copyright (c) 2016-2020, Facebook, Inc.
[fuzz] Add libFuzzer targets * The regression driver serves both as a regression test, and as a binary for afl-fuzz. * Next, we want to check in a seed corpus for each target. Then we can run the regression test binary on them on Travis or Circle CI.
2017-06-29 23:53:52 +00:00
* All rights reserved.
*
fixed more file headers after license change (#825)
2017-08-31 19:11:57 +00:00
* This source code is licensed under both the BSD-style license (found in the
* LICENSE file in the root directory of this source tree) and the GPLv2 (found
* in the COPYING file in the root directory of this source tree).
Fix copyright and license lines * All copyright lines now have -2020 instead of -present * All copyright lines include "Facebook, Inc" * All licenses are now standardized The copyright in `threading.{h,c}` is not changed because it comes from zstdmt. The copyright and license of `divsufsort.{h,c}` is not changed.
2020-03-26 22:19:05 +00:00
* You may select, at your option, one of the above-listed licenses.
[fuzz] Add libFuzzer targets * The regression driver serves both as a regression test, and as a binary for afl-fuzz. * Next, we want to check in a seed corpus for each target. Then we can run the regression test binary on them on Travis or Circle CI.
2017-06-29 23:53:52 +00:00
*/
/**
* This fuzz target performs a zstd round-trip test (compress & decompress),
* compares the result with the original, and calls abort() on corruption.
*/
[fuzzer] Fuzz long range matching & new API
2017-09-14 21:41:49 +00:00
#define ZSTD_STATIC_LINKING_ONLY
[fuzz] Add libFuzzer targets * The regression driver serves both as a regression test, and as a binary for afl-fuzz. * Next, we want to check in a seed corpus for each target. Then we can run the regression test binary on them on Travis or Circle CI.
2017-06-29 23:53:52 +00:00
#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include "fuzz_helpers.h"
[fuzzer] Fuzz long range matching & new API
2017-09-14 21:41:49 +00:00
#include "zstd_helpers.h"
[Fuzz] Improve data generation #1723 Converting the rest of the tests to use the new data producer.
2019-09-10 23:14:43 +00:00
#include "fuzz_data_producer.h"
[fuzz] Add libFuzzer targets * The regression driver serves both as a regression test, and as a binary for afl-fuzz. * Next, we want to check in a seed corpus for each target. Then we can run the regression test binary on them on Travis or Circle CI.
2017-06-29 23:53:52 +00:00
static ZSTD_CCtx *cctx = NULL;
static ZSTD_DCtx *dctx = NULL;
static size_t roundTripTest(void *result, size_t resultCapacity,
void *compressed, size_t compressedCapacity,
[Fuzz] Improve data generation #1723 Converting the rest of the tests to use the new data producer.
2019-09-10 23:14:43 +00:00
const void *src, size_t srcSize,
FUZZ_dataProducer_t *producer)
[fuzz] Add libFuzzer targets * The regression driver serves both as a regression test, and as a binary for afl-fuzz. * Next, we want to check in a seed corpus for each target. Then we can run the regression test binary on them on Travis or Circle CI.
2017-06-29 23:53:52 +00:00
{
[fuzzer] Fuzz long range matching & new API
2017-09-14 21:41:49 +00:00
size_t cSize;
Fix superblock mode (#2100) Fixes: Enable RLE blocks for superblock mode Fix the limitation that the literals block must shrink. Instead, when we're within 200 bytes of the next header byte size, we will just use the next one up. That way we should (almost?) always have space for the table. Remove the limitation that the first sub-block MUST have compressed literals and be compressed. Now one sub-block MUST be compressed (otherwise we fall back to raw block which is okay, since that is streamable). If no block has compressed literals that is okay, we will fix up the next Huffman table. Handle the case where the last sub-block is uncompressed (maybe it is very small). Before it would skip superblock in this case, now we allow the last sub-block to be uncompressed. To do this we need to regenerate the correct repcodes. Respect disableLiteralsCompression in superblock mode Fix superblock mode to handle a block consisting of only compressed literals Fix a off by 1 error in superblock mode that disabled it whenever there were last literals Fix superblock mode with long literals/matches (> 0xFFFF) Allow superblock mode to repeat Huffman tables Respect ZSTD_minGain(). Tests: Simple check for the condition in #2096. When the simple_round_trip fuzzer enables superblock mode, it checks that the compressed size isn't expanded too much. Remaining limitations: O(targetCBlockSize^2) because we recompute statistics every sequence Unable to split literals of length > targetCBlockSize into multiple sequences Refuses to generate sub-blocks that don't shrink the compressed data, so we could end up with large sub-blocks. We should emit those sections as uncompressed blocks instead. ... Fixes #2096
2020-05-01 23:11:47 +00:00
size_t dSize;
int targetCBlockSize = 0;
Use range instead of the generic uint32 method to use less bytes when generating necessary numbers.
2019-09-12 19:40:12 +00:00
if (FUZZ_dataProducer_uint32Range(producer, 0, 1)) {
[Fuzz] Improve data generation #1723 Converting the rest of the tests to use the new data producer.
2019-09-10 23:14:43 +00:00
FUZZ_setRandomParameters(cctx, srcSize, producer);
[fuzz] Use the new advanced API
2019-04-09 03:01:38 +00:00
cSize = ZSTD_compress2(cctx, compressed, compressedCapacity, src, srcSize);
Fix superblock mode (#2100) Fixes: Enable RLE blocks for superblock mode Fix the limitation that the literals block must shrink. Instead, when we're within 200 bytes of the next header byte size, we will just use the next one up. That way we should (almost?) always have space for the table. Remove the limitation that the first sub-block MUST have compressed literals and be compressed. Now one sub-block MUST be compressed (otherwise we fall back to raw block which is okay, since that is streamable). If no block has compressed literals that is okay, we will fix up the next Huffman table. Handle the case where the last sub-block is uncompressed (maybe it is very small). Before it would skip superblock in this case, now we allow the last sub-block to be uncompressed. To do this we need to regenerate the correct repcodes. Respect disableLiteralsCompression in superblock mode Fix superblock mode to handle a block consisting of only compressed literals Fix a off by 1 error in superblock mode that disabled it whenever there were last literals Fix superblock mode with long literals/matches (> 0xFFFF) Allow superblock mode to repeat Huffman tables Respect ZSTD_minGain(). Tests: Simple check for the condition in #2096. When the simple_round_trip fuzzer enables superblock mode, it checks that the compressed size isn't expanded too much. Remaining limitations: O(targetCBlockSize^2) because we recompute statistics every sequence Unable to split literals of length > targetCBlockSize into multiple sequences Refuses to generate sub-blocks that don't shrink the compressed data, so we could end up with large sub-blocks. We should emit those sections as uncompressed blocks instead. ... Fixes #2096
2020-05-01 23:11:47 +00:00
FUZZ_ZASSERT(ZSTD_CCtx_getParameter(cctx, ZSTD_c_targetCBlockSize, &targetCBlockSize));
[fuzzer] Fuzz long range matching & new API
2017-09-14 21:41:49 +00:00
} else {
Use range instead of the generic uint32 method to use less bytes when generating necessary numbers.
2019-09-12 19:40:12 +00:00
int const cLevel = FUZZ_dataProducer_int32Range(producer, kMinClevel, kMaxClevel);
[fuzzer] Fuzz long range matching & new API
2017-09-14 21:41:49 +00:00
cSize = ZSTD_compressCCtx(
cctx, compressed, compressedCapacity, src, srcSize, cLevel);
}
[fuzz] Speed up round trip tests * Enforce smaller maximum values for parameters * Adjust parameters to the source size The memory usage is reduced by about 5x, which makes the fuzzers run at least twice as fast, even more so with ASAN/MSAN enabled.
2017-09-26 21:03:43 +00:00
FUZZ_ZASSERT(cSize);
Fix superblock mode (#2100) Fixes: Enable RLE blocks for superblock mode Fix the limitation that the literals block must shrink. Instead, when we're within 200 bytes of the next header byte size, we will just use the next one up. That way we should (almost?) always have space for the table. Remove the limitation that the first sub-block MUST have compressed literals and be compressed. Now one sub-block MUST be compressed (otherwise we fall back to raw block which is okay, since that is streamable). If no block has compressed literals that is okay, we will fix up the next Huffman table. Handle the case where the last sub-block is uncompressed (maybe it is very small). Before it would skip superblock in this case, now we allow the last sub-block to be uncompressed. To do this we need to regenerate the correct repcodes. Respect disableLiteralsCompression in superblock mode Fix superblock mode to handle a block consisting of only compressed literals Fix a off by 1 error in superblock mode that disabled it whenever there were last literals Fix superblock mode with long literals/matches (> 0xFFFF) Allow superblock mode to repeat Huffman tables Respect ZSTD_minGain(). Tests: Simple check for the condition in #2096. When the simple_round_trip fuzzer enables superblock mode, it checks that the compressed size isn't expanded too much. Remaining limitations: O(targetCBlockSize^2) because we recompute statistics every sequence Unable to split literals of length > targetCBlockSize into multiple sequences Refuses to generate sub-blocks that don't shrink the compressed data, so we could end up with large sub-blocks. We should emit those sections as uncompressed blocks instead. ... Fixes #2096
2020-05-01 23:11:47 +00:00
dSize = ZSTD_decompressDCtx(dctx, result, resultCapacity, compressed, cSize);
FUZZ_ZASSERT(dSize);
/* When superblock is enabled make sure we don't expand the block more than expected. */
if (targetCBlockSize != 0) {
size_t normalCSize;
FUZZ_ZASSERT(ZSTD_CCtx_setParameter(cctx, ZSTD_c_targetCBlockSize, 0));
normalCSize = ZSTD_compress2(cctx, compressed, compressedCapacity, src, srcSize);
FUZZ_ZASSERT(normalCSize);
{
size_t const bytesPerBlock = 3 /* block header */
+ 5 /* Literal header */
+ 6 /* Huffman jump table */
+ 3 /* number of sequences */
+ 1 /* symbol compression modes */;
size_t const expectedExpansion = bytesPerBlock * (1 + (normalCSize / MAX(1, targetCBlockSize)));
[fuzz] Expand the allowedExpansion
2020-05-19 18:42:53 +00:00
size_t const allowedExpansion = (srcSize >> 3) + 5 * expectedExpansion + 10;
Fix superblock mode (#2100) Fixes: Enable RLE blocks for superblock mode Fix the limitation that the literals block must shrink. Instead, when we're within 200 bytes of the next header byte size, we will just use the next one up. That way we should (almost?) always have space for the table. Remove the limitation that the first sub-block MUST have compressed literals and be compressed. Now one sub-block MUST be compressed (otherwise we fall back to raw block which is okay, since that is streamable). If no block has compressed literals that is okay, we will fix up the next Huffman table. Handle the case where the last sub-block is uncompressed (maybe it is very small). Before it would skip superblock in this case, now we allow the last sub-block to be uncompressed. To do this we need to regenerate the correct repcodes. Respect disableLiteralsCompression in superblock mode Fix superblock mode to handle a block consisting of only compressed literals Fix a off by 1 error in superblock mode that disabled it whenever there were last literals Fix superblock mode with long literals/matches (> 0xFFFF) Allow superblock mode to repeat Huffman tables Respect ZSTD_minGain(). Tests: Simple check for the condition in #2096. When the simple_round_trip fuzzer enables superblock mode, it checks that the compressed size isn't expanded too much. Remaining limitations: O(targetCBlockSize^2) because we recompute statistics every sequence Unable to split literals of length > targetCBlockSize into multiple sequences Refuses to generate sub-blocks that don't shrink the compressed data, so we could end up with large sub-blocks. We should emit those sections as uncompressed blocks instead. ... Fixes #2096
2020-05-01 23:11:47 +00:00
FUZZ_ASSERT(cSize <= normalCSize + allowedExpansion);
}
}
return dSize;
[fuzz] Add libFuzzer targets * The regression driver serves both as a regression test, and as a binary for afl-fuzz. * Next, we want to check in a seed corpus for each target. Then we can run the regression test binary on them on Travis or Circle CI.
2017-06-29 23:53:52 +00:00
}
int LLVMFuzzerTestOneInput(const uint8_t *src, size_t size)
{
[fuzzer] Sometimes fuzz with one less output byte Zstd compression sometimes does different stuff when it has at least `ZSTD_compressBound()` output bytes, or not. Half of the time fuzz with `ZSTD_compressBound() - 1` output bytes. Ensure that we have at least one byte of overhead by disabling either the dictionary ID or checksum.
2019-04-09 23:47:59 +00:00
size_t const rBufSize = size;
[lib] Fix NULL pointer dereference When the output buffer is `NULL` with size 0, but the frame content size is non-zero, we will write to the NULL pointer because our bounds check underflowed. This was exposed by a recent PR that allowed an empty frame into the single-pass shortcut in streaming mode. * Fix the bug. * Fix another NULL dereference in zstd-v1. * Overflow checks in 32-bit mode. * Add a dedicated test. * Expose the bug in the dedicated simple_decompress fuzzer. * Switch all mallocs in fuzzers to return NULL for size=0. * Fix a new timeout in a fuzzer. Neither clang nor gcc show a decompression speed regression on x86-64. On x86-32 clang is slightly positive and gcc loses 2.5% of speed. Credit to OSS-Fuzz.
2020-05-01 23:35:35 +00:00
void* rBuf = FUZZ_malloc(rBufSize);
Fix superblock mode (#2100) Fixes: Enable RLE blocks for superblock mode Fix the limitation that the literals block must shrink. Instead, when we're within 200 bytes of the next header byte size, we will just use the next one up. That way we should (almost?) always have space for the table. Remove the limitation that the first sub-block MUST have compressed literals and be compressed. Now one sub-block MUST be compressed (otherwise we fall back to raw block which is okay, since that is streamable). If no block has compressed literals that is okay, we will fix up the next Huffman table. Handle the case where the last sub-block is uncompressed (maybe it is very small). Before it would skip superblock in this case, now we allow the last sub-block to be uncompressed. To do this we need to regenerate the correct repcodes. Respect disableLiteralsCompression in superblock mode Fix superblock mode to handle a block consisting of only compressed literals Fix a off by 1 error in superblock mode that disabled it whenever there were last literals Fix superblock mode with long literals/matches (> 0xFFFF) Allow superblock mode to repeat Huffman tables Respect ZSTD_minGain(). Tests: Simple check for the condition in #2096. When the simple_round_trip fuzzer enables superblock mode, it checks that the compressed size isn't expanded too much. Remaining limitations: O(targetCBlockSize^2) because we recompute statistics every sequence Unable to split literals of length > targetCBlockSize into multiple sequences Refuses to generate sub-blocks that don't shrink the compressed data, so we could end up with large sub-blocks. We should emit those sections as uncompressed blocks instead. ... Fixes #2096
2020-05-01 23:11:47 +00:00
size_t cBufSize = ZSTD_compressBound(size);
[fuzzer] Sometimes fuzz with one less output byte Zstd compression sometimes does different stuff when it has at least `ZSTD_compressBound()` output bytes, or not. Half of the time fuzz with `ZSTD_compressBound() - 1` output bytes. Ensure that we have at least one byte of overhead by disabling either the dictionary ID or checksum.
2019-04-09 23:47:59 +00:00
void* cBuf;
[fuzz] Add libFuzzer targets * The regression driver serves both as a regression test, and as a binary for afl-fuzz. * Next, we want to check in a seed corpus for each target. Then we can run the regression test binary on them on Travis or Circle CI.
2017-06-29 23:53:52 +00:00
All tests should give some portion of data to the producer and use the rest.
2019-09-10 23:52:38 +00:00
/* Give a random portion of src data to the producer, to use for
parameter generation. The rest will be used for (de)compression */
[Fuzz] Improve data generation #1723 Converting the rest of the tests to use the new data producer.
2019-09-10 23:14:43 +00:00
FUZZ_dataProducer_t *producer = FUZZ_dataProducer_create(src, size);
Combining fuzz_data_producer restrict calls into a single function
2019-09-11 17:09:29 +00:00
size = FUZZ_dataProducer_reserveDataPrefix(producer);
All tests should give some portion of data to the producer and use the rest.
2019-09-10 23:52:38 +00:00
[fuzzer] Sometimes fuzz with one less output byte Zstd compression sometimes does different stuff when it has at least `ZSTD_compressBound()` output bytes, or not. Half of the time fuzz with `ZSTD_compressBound() - 1` output bytes. Ensure that we have at least one byte of overhead by disabling either the dictionary ID or checksum.
2019-04-09 23:47:59 +00:00
/* Half of the time fuzz with a 1 byte smaller output size.
* This will still succeed because we don't use a dictionary, so the dictID
* field is empty, giving us 4 bytes of overhead.
*/
[Fuzz] Improve data generation #1723 Converting the rest of the tests to use the new data producer.
2019-09-10 23:14:43 +00:00
cBufSize -= FUZZ_dataProducer_uint32Range(producer, 0, 1);
All tests should give some portion of data to the producer and use the rest.
2019-09-10 23:52:38 +00:00
[lib] Fix NULL pointer dereference When the output buffer is `NULL` with size 0, but the frame content size is non-zero, we will write to the NULL pointer because our bounds check underflowed. This was exposed by a recent PR that allowed an empty frame into the single-pass shortcut in streaming mode. * Fix the bug. * Fix another NULL dereference in zstd-v1. * Overflow checks in 32-bit mode. * Add a dedicated test. * Expose the bug in the dedicated simple_decompress fuzzer. * Switch all mallocs in fuzzers to return NULL for size=0. * Fix a new timeout in a fuzzer. Neither clang nor gcc show a decompression speed regression on x86-64. On x86-32 clang is slightly positive and gcc loses 2.5% of speed. Credit to OSS-Fuzz.
2020-05-01 23:35:35 +00:00
cBuf = FUZZ_malloc(cBufSize);
[fuzz] Add libFuzzer targets * The regression driver serves both as a regression test, and as a binary for afl-fuzz. * Next, we want to check in a seed corpus for each target. Then we can run the regression test binary on them on Travis or Circle CI.
2017-06-29 23:53:52 +00:00
if (!cctx) {
cctx = ZSTD_createCCtx();
FUZZ_ASSERT(cctx);
}
if (!dctx) {
dctx = ZSTD_createDCtx();
FUZZ_ASSERT(dctx);
}
{
size_t const result =
[Fuzz] Improve data generation #1723 Converting the rest of the tests to use the new data producer.
2019-09-10 23:14:43 +00:00
roundTripTest(rBuf, rBufSize, cBuf, cBufSize, src, size, producer);
[fuzz] Speed up round trip tests * Enforce smaller maximum values for parameters * Adjust parameters to the source size The memory usage is reduced by about 5x, which makes the fuzzers run at least twice as fast, even more so with ASAN/MSAN enabled.
2017-09-26 21:03:43 +00:00
FUZZ_ZASSERT(result);
[fuzz] Add libFuzzer targets * The regression driver serves both as a regression test, and as a binary for afl-fuzz. * Next, we want to check in a seed corpus for each target. Then we can run the regression test binary on them on Travis or Circle CI.
2017-06-29 23:53:52 +00:00
FUZZ_ASSERT_MSG(result == size, "Incorrect regenerated size");
[lib] Fix NULL pointer dereference When the output buffer is `NULL` with size 0, but the frame content size is non-zero, we will write to the NULL pointer because our bounds check underflowed. This was exposed by a recent PR that allowed an empty frame into the single-pass shortcut in streaming mode. * Fix the bug. * Fix another NULL dereference in zstd-v1. * Overflow checks in 32-bit mode. * Add a dedicated test. * Expose the bug in the dedicated simple_decompress fuzzer. * Switch all mallocs in fuzzers to return NULL for size=0. * Fix a new timeout in a fuzzer. Neither clang nor gcc show a decompression speed regression on x86-64. On x86-32 clang is slightly positive and gcc loses 2.5% of speed. Credit to OSS-Fuzz.
2020-05-01 23:35:35 +00:00
FUZZ_ASSERT_MSG(!FUZZ_memcmp(src, rBuf, size), "Corruption!");
[fuzz] Add libFuzzer targets * The regression driver serves both as a regression test, and as a binary for afl-fuzz. * Next, we want to check in a seed corpus for each target. Then we can run the regression test binary on them on Travis or Circle CI.
2017-06-29 23:53:52 +00:00
}
[fuzzer] Sometimes fuzz with one less output byte Zstd compression sometimes does different stuff when it has at least `ZSTD_compressBound()` output bytes, or not. Half of the time fuzz with `ZSTD_compressBound() - 1` output bytes. Ensure that we have at least one byte of overhead by disabling either the dictionary ID or checksum.
2019-04-09 23:47:59 +00:00
free(rBuf);
free(cBuf);
[Fuzz] Improve data generation #1723 Converting the rest of the tests to use the new data producer.
2019-09-10 23:14:43 +00:00
FUZZ_dataProducer_free(producer);
Update fuzzer sources
2017-09-13 03:20:27 +00:00
#ifndef STATEFUL_FUZZING
[fuzz] Add libFuzzer targets * The regression driver serves both as a regression test, and as a binary for afl-fuzz. * Next, we want to check in a seed corpus for each target. Then we can run the regression test binary on them on Travis or Circle CI.
2017-06-29 23:53:52 +00:00
ZSTD_freeCCtx(cctx); cctx = NULL;
ZSTD_freeDCtx(dctx); dctx = NULL;
#endif
return 0;
}
Reference in New Issue Copy Permalink