csmith fuzzing

e · e · commit d5f87224fdf0 · 2017-09-25T16:33:10.000+02:00
diff --git a/csmith-fuzzing/README b/csmith-fuzzing/README
@@ -0,0 +1,7 @@
+Fuzz bindgen with `csmith` https://github.com/csmith-project/csmith .
+
+Run with `python3 driver.py`. It will run until until it encounters an error in `bindgen`.
+
+Requires `python3`, `csmith` and `bindgen` to be in `$PATH`.
+
+csmith is run with `--no-checksum --nomain --max-block-size 1 --max-block-depth 1` which disables the `main` function and makes function bodies as simple as possible as bindgen does not care about them but they cannot be completely disabled in csmith. Run `csmith --help` to see what exactly those options do.
diff --git a/csmith-fuzzing/csmith.h b/csmith-fuzzing/csmith.h
@@ -0,0 +1,15 @@
+// Type definitions from csmith's csmith_minimal.h included in csmith.h .
+// Since other header contents are not needed we put them in here
+// so the other original header is not needed anymore.
+
+#define int8_t signed char
+#define uint8_t unsigned char
+
+#define int16_t short
+#define uint16_t unsigned short
+
+#define int32_t int
+#define uint32_t unsigned
+
+#define int64_t long long
+#define uint64_t unsigned long long
diff --git a/csmith-fuzzing/driver.py b/csmith-fuzzing/driver.py
@@ -0,0 +1,33 @@
+from subprocess import run, DEVNULL, PIPE
+
+csmith_command = [
+        "csmith",
+        "--no-checksum",
+        "--nomain",
+        "--max-block-size", "1",
+        "--max-block-depth", "1",
+        "--output", "generated.h"]
+
+bindgen_command = ["bindgen", "generated.h"]
+
+if __name__ == "__main__":
+    print("Bindgen fuzzing with csmith.")
+    print(
+        "This script will write to generated.h, bindgen_stdout, bindgen_stderr and platform.info . "
+        "These files can be deleted after running.")
+
+    iterations = 0
+    while True:
+        print("\rIteration: {}".format(iterations), end="", flush=True)
+
+        run(csmith_command, stdin=DEVNULL, stdout=DEVNULL, stderr=DEVNULL)
+        with open("bindgen_stdout", "wb") as stdout, open("bindgen_stdout", "wb") as stderr:
+            result = run(bindgen_command, stdin=DEVNULL, stdout=stdout, stderr=stderr)
+            if result.returncode != 0:
+                print()
+                print(
+                    "Error: bindgen existed with non zero exit code {} when ran on generated.h . "
+                    "You can find its output in bindgen_stoud and bindgen_stderr."
+                    .format(result.returncode))
+                exit()
+        iterations += 1
