Jakub Jelinek wrote:
> On Mon, Aug 11, 2014 at 10:27:03AM +0100, Gary Benson wrote:
> > This patch adds a simple fuzzer for the libiberty C++ demangler.
> > You can run it like this:
> >
> > make -C /path/to/build/libiberty/testsuite fuzz-demangler
> >
> > It will run until it dumps core (usually only a few seconds).
> >
> > Is this ok to commit?
>
> I think it is bad when the command never succeeds in case of
> success. There should be some limit on the number of iterations
> (perhaps a parameter to the program), or timeout.
How about as inlined below, with a 60 second timeout?
> > + for (i = 0; i < length; i++)
> > + *(buffer++) = (rand () % (ALPMAX - ALPMIN)) + ALPMIN;
> > +
> > + *(buffer++) = '\0';
>
> Please use just *buffer++ instead of *(buffer++) in both places.
Changed below.
Thanks,
Gary
--
2014-08-11 Gary Benson <gben...@redhat.com>
* testsuite/demangler-fuzzer.c: New file.
* testsuite/Makefile.in (fuzz-demangler): New rule.
(demangler-fuzzer): Likewise.
(mostlyclean): Clean up demangler fuzzer.
Index: libiberty/testsuite/Makefile.in
===================================================================
--- libiberty/testsuite/Makefile.in (revision 213809)
+++ libiberty/testsuite/Makefile.in (working copy)
@@ -59,6 +59,10 @@
check-expandargv: test-expandargv
./test-expandargv
+# Run the demangler fuzzer
+fuzz-demangler: demangler-fuzzer
+ ./demangler-fuzzer
+
TEST_COMPILE = $(CC) @DEFS@ $(LIBCFLAGS) -I.. -I$(INCDIR) $(HDEFINES)
test-demangle: $(srcdir)/test-demangle.c ../libiberty.a
$(TEST_COMPILE) -o test-demangle \
@@ -72,6 +76,10 @@
$(TEST_COMPILE) -DHAVE_CONFIG_H -I.. -o test-expandargv \
$(srcdir)/test-expandargv.c ../libiberty.a
+demangler-fuzzer: $(srcdir)/demangler-fuzzer.c ../libiberty.a
+ $(TEST_COMPILE) -o demangler-fuzzer \
+ $(srcdir)/demangler-fuzzer.c ../libiberty.a
+
# Standard (either GNU or Cygnus) rules we don't use.
html install-html info install-info clean-info dvi pdf install-pdf \
install etags tags installcheck:
@@ -81,6 +89,7 @@
rm -f test-demangle
rm -f test-pexecute
rm -f test-expandargv
+ rm -f demangler-fuzzer
rm -f core
clean: mostlyclean
distclean: clean
Index: libiberty/testsuite/demangler-fuzzer.c
===================================================================
--- libiberty/testsuite/demangler-fuzzer.c (revision 0)
+++ libiberty/testsuite/demangler-fuzzer.c (revision 0)
@@ -0,0 +1,67 @@
+/* Demangler fuzzer.
+
+ Copyright (C) 2014 Free Software Foundation, Inc.
+
+ This file is part of GNU libiberty.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <unistd.h>
+#include <time.h>
+#include <demangle.h>
+
+#define MAXLEN 253
+#define ALPMIN 33
+#define ALPMAX 127
+
+static int quit_flag;
+
+static void
+alarm_handler (int signum)
+{
+ quit_flag = 1;
+}
+
+int
+main (int argc, char *argv[])
+{
+ char symbol[2 + MAXLEN + 1] = "_Z";
+ int count = 0;
+
+ srand (time (NULL));
+ signal (SIGALRM, alarm_handler);
+ alarm (60);
+
+ while (!quit_flag)
+ {
+ char *buffer = symbol + 2;
+ int length, i;
+
+ length = rand () % MAXLEN;
+ for (i = 0; i < length; i++)
+ *buffer++ = (rand () % (ALPMAX - ALPMIN)) + ALPMIN;
+
+ *buffer++ = '\0';
+
+ cplus_demangle (symbol, DMGL_AUTO | DMGL_ANSI | DMGL_PARAMS);
+
+ count++;
+ }
+
+ printf ("Successfully demangled %d symbols\n", count);
+ exit (0);
+}
