[libc-commits] [libc] [libc] fuzz test for heap_sort (PR #100826)

via libc-commits libc-commits at lists.llvm.org
Tue Jul 30 12:58:56 PDT 2024


https://github.com/RoseZhang03 updated https://github.com/llvm/llvm-project/pull/100826

>From 5dbd17fe11774aa706a59ee345d2576540e4538f Mon Sep 17 00:00:00 2001
From: Rose Zhang <rosezhang at google.com>
Date: Fri, 26 Jul 2024 22:45:50 +0000
Subject: [PATCH 1/8] [libc] fuzz test for heap_sort

Made a fuzz test for heap_sort based off of qsort_fuzz implementation
---
 libc/fuzzing/stdlib/CMakeLists.txt     |  8 ++++
 libc/fuzzing/stdlib/heap_sort_fuzz.cpp | 53 ++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 libc/fuzzing/stdlib/heap_sort_fuzz.cpp

diff --git a/libc/fuzzing/stdlib/CMakeLists.txt b/libc/fuzzing/stdlib/CMakeLists.txt
index 204bc619318da..3f954a6fe2a79 100644
--- a/libc/fuzzing/stdlib/CMakeLists.txt
+++ b/libc/fuzzing/stdlib/CMakeLists.txt
@@ -6,6 +6,14 @@ add_libc_fuzzer(
     libc.src.stdlib.qsort
 )
 
+add_libc_fuzzer(
+  heap_sort_fuzz
+  SRCS
+    heap_sort_fuzz.cpp
+  DEPENDS
+    libc.src.stlib.heap_sort
+)
+
 add_libc_fuzzer(
   atof_differential_fuzz
   SRCS
diff --git a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
new file mode 100644
index 0000000000000..70daa7e623e1c
--- /dev/null
+++ b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
@@ -0,0 +1,53 @@
+//===-- heap_sort_fuzz.cpp ----------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+///
+/// Fuzzing test for llvm-libc heap_sort implementation.
+///
+//===----------------------------------------------------------------------===//
+
+#include "src/stdlib/heap_sort.h"
+#include <stdint.h>
+
+static int int_compare(const void *l, const void *r) {
+  int li = *reinterpret_cast<const int *>(l);
+  int ri = *reinterpret_cast<const int *>(r);
+  if (li == ri)
+    return 0;
+  else if (li > ri)
+    return 1;
+  else
+    return -1;
+}
+
+namespace LIBC_NAMESPACE_DECL {
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+
+  const size_t array_size = size / sizeof(int);
+  if (array_size == 0)
+    return 0;
+
+  int *array = new int[array_size];
+  const int *data_as_int = reinterpret_cast<const int *>(data);
+  for (size_t i = 0; i < array_size; ++i)
+    array[i] = data_as_int[i];
+
+  auto arr = internal::Array(reinterpret_cast<uint8_t *>(array), array_size, sizeof(int), int_compare);
+
+  internal::heap_sort(arr);
+
+  for (size_t i = 0; i < array_size - 1; ++i) {
+    if (arr.get(i) > arr.get(i + 1))
+      __builtin_trap();
+  }
+
+  delete[] array;
+  return 0;
+}
+
+} // namespace LIBC_NAMESPACE_DECL
\ No newline at end of file

>From 2c39053430e84559886f56993f765e1ee1d5426c Mon Sep 17 00:00:00 2001
From: Rose Zhang <rosezhang at google.com>
Date: Sat, 27 Jul 2024 00:05:52 +0000
Subject: [PATCH 2/8] added line at end

---
 libc/fuzzing/stdlib/heap_sort_fuzz.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
index 70daa7e623e1c..28950f7a6171f 100644
--- a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
+++ b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
@@ -50,4 +50,4 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   return 0;
 }
 
-} // namespace LIBC_NAMESPACE_DECL
\ No newline at end of file
+} // namespace LIBC_NAMESPACE_DECL

>From 9b9257f111aa426e5d8b1f7fe4fc3181d7be84aa Mon Sep 17 00:00:00 2001
From: Rose Zhang <rosezhang at google.com>
Date: Mon, 29 Jul 2024 22:03:19 +0000
Subject: [PATCH 3/8] added correct dependency and fixed nits

---
 libc/fuzzing/stdlib/CMakeLists.txt     |  2 +-
 libc/fuzzing/stdlib/heap_sort_fuzz.cpp | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/libc/fuzzing/stdlib/CMakeLists.txt b/libc/fuzzing/stdlib/CMakeLists.txt
index 3f954a6fe2a79..9b3298cfc55a7 100644
--- a/libc/fuzzing/stdlib/CMakeLists.txt
+++ b/libc/fuzzing/stdlib/CMakeLists.txt
@@ -11,7 +11,7 @@ add_libc_fuzzer(
   SRCS
     heap_sort_fuzz.cpp
   DEPENDS
-    libc.src.stlib.heap_sort
+    libc.src.stdlib.qsort_util
 )
 
 add_libc_fuzzer(
diff --git a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
index 28950f7a6171f..9b4600062e925 100644
--- a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
+++ b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
@@ -1,4 +1,4 @@
-//===-- heap_sort_fuzz.cpp ----------------------------------------------------===//
+//===-- heap_sort_fuzz.cpp ------------------------------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
@@ -10,6 +10,7 @@
 ///
 //===----------------------------------------------------------------------===//
 
+#include "src/__support/macros/config.h"
 #include "src/stdlib/heap_sort.h"
 #include <stdint.h>
 
@@ -18,10 +19,9 @@ static int int_compare(const void *l, const void *r) {
   int ri = *reinterpret_cast<const int *>(r);
   if (li == ri)
     return 0;
-  else if (li > ri)
+  if (li > ri)
     return 1;
-  else
-    return -1;
+  return -1;
 }
 
 namespace LIBC_NAMESPACE_DECL {
@@ -37,14 +37,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   for (size_t i = 0; i < array_size; ++i)
     array[i] = data_as_int[i];
 
-  auto arr = internal::Array(reinterpret_cast<uint8_t *>(array), array_size, sizeof(int), int_compare);
+  auto arr = internal::Array(reinterpret_cast<uint8_t *>(array), array_size, 
+                                            sizeof(int), int_compare);
 
   internal::heap_sort(arr);
 
-  for (size_t i = 0; i < array_size - 1; ++i) {
+  for (size_t i = 0; i < array_size - 1; ++i)
     if (arr.get(i) > arr.get(i + 1))
       __builtin_trap();
-  }
 
   delete[] array;
   return 0;

>From c51d32d72c649d4f1b95fc67124a02b0c9e6ea99 Mon Sep 17 00:00:00 2001
From: Rose Zhang <rosezhang at google.com>
Date: Mon, 29 Jul 2024 23:29:11 +0000
Subject: [PATCH 4/8] removed namespace, fixed formatting

---
 libc/fuzzing/stdlib/heap_sort_fuzz.cpp | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
index 9b4600062e925..2473a1f838613 100644
--- a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
+++ b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
@@ -24,8 +24,6 @@ static int int_compare(const void *l, const void *r) {
   return -1;
 }
 
-namespace LIBC_NAMESPACE_DECL {
-
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
   const size_t array_size = size / sizeof(int);
@@ -37,10 +35,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   for (size_t i = 0; i < array_size; ++i)
     array[i] = data_as_int[i];
 
-  auto arr = internal::Array(reinterpret_cast<uint8_t *>(array), array_size, 
-                                            sizeof(int), int_compare);
+  auto arr = LIBC_NAMESPACE::internal::Array(
+      reinterpret_cast<uint8_t *>(array), array_size, sizeof(int), int_compare);
 
-  internal::heap_sort(arr);
+  LIBC_NAMESPACE::internal::heap_sort(arr);
 
   for (size_t i = 0; i < array_size - 1; ++i)
     if (arr.get(i) > arr.get(i + 1))
@@ -49,5 +47,3 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   delete[] array;
   return 0;
 }
-
-} // namespace LIBC_NAMESPACE_DECL

>From 453d3b21443f73b9e4135cec2c0953b9a2bbed50 Mon Sep 17 00:00:00 2001
From: Rose Zhang <rosezhang at google.com>
Date: Tue, 30 Jul 2024 17:56:23 +0000
Subject: [PATCH 5/8] fixed compare statement

---
 libc/fuzzing/stdlib/heap_sort_fuzz.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
index 2473a1f838613..dc21d15a0f83c 100644
--- a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
+++ b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
@@ -41,7 +41,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   LIBC_NAMESPACE::internal::heap_sort(arr);
 
   for (size_t i = 0; i < array_size - 1; ++i)
-    if (arr.get(i) > arr.get(i + 1))
+    if (*arr.get(i) < *arr.get(i+1))
       __builtin_trap();
 
   delete[] array;

>From 1f774abfe524e4561ab6233086e28a37fea73654 Mon Sep 17 00:00:00 2001
From: Rose Zhang <rosezhang at google.com>
Date: Tue, 30 Jul 2024 19:46:48 +0000
Subject: [PATCH 6/8] using reinterpret cast to dereference pointer into an int

---
 libc/fuzzing/stdlib/heap_sort_fuzz.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
index dc21d15a0f83c..0a08059b0fb92 100644
--- a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
+++ b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
@@ -41,7 +41,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   LIBC_NAMESPACE::internal::heap_sort(arr);
 
   for (size_t i = 0; i < array_size - 1; ++i)
-    if (*arr.get(i) < *arr.get(i+1))
+    if (*reinterpret_cast<const int *>(arr.get(i)) > *reinterpret_cast<const int *>(arr.get(i + 1)))
       __builtin_trap();
 
   delete[] array;

>From 7bdd9609cc006b21f779c95ca6874c33dbecdcb2 Mon Sep 17 00:00:00 2001
From: Rose Zhang <rosezhang at google.com>
Date: Tue, 30 Jul 2024 19:51:29 +0000
Subject: [PATCH 7/8] formatting

---
 libc/fuzzing/stdlib/heap_sort_fuzz.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
index 0a08059b0fb92..734db495d5c4a 100644
--- a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
+++ b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
@@ -41,7 +41,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   LIBC_NAMESPACE::internal::heap_sort(arr);
 
   for (size_t i = 0; i < array_size - 1; ++i)
-    if (*reinterpret_cast<const int *>(arr.get(i)) > *reinterpret_cast<const int *>(arr.get(i + 1)))
+    if (*reinterpret_cast<const int *>(arr.get(i)) >
+        *reinterpret_cast<const int *>(arr.get(i + 1)))
       __builtin_trap();
 
   delete[] array;

>From e624932586d63537172b1224a12d94ecd9ee6656 Mon Sep 17 00:00:00 2001
From: Rose Zhang <rosezhang at google.com>
Date: Tue, 30 Jul 2024 19:58:34 +0000
Subject: [PATCH 8/8] access directly from original array

---
 libc/fuzzing/stdlib/heap_sort_fuzz.cpp | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
index 734db495d5c4a..ad2d3113a59df 100644
--- a/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
+++ b/libc/fuzzing/stdlib/heap_sort_fuzz.cpp
@@ -41,8 +41,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   LIBC_NAMESPACE::internal::heap_sort(arr);
 
   for (size_t i = 0; i < array_size - 1; ++i)
-    if (*reinterpret_cast<const int *>(arr.get(i)) >
-        *reinterpret_cast<const int *>(arr.get(i + 1)))
+    if (array[i] > array[i + 1])
       __builtin_trap();
 
   delete[] array;



More information about the libc-commits mailing list