Fuzz bindgen with C-Smith #969
Comments
|
Note: #1033 added some initial infrastructure for fuzzing Additional help tweaking knobs to get C-Smith to exercise Also, perhaps seeing if running C-Smith for longer periods ends up uncovering anything. Finally, it might make sense to file issues upstream with C-Smith if we can't tweak knobs to our satisfaction. |
csmith fuzzing ref #969 An initial version of a script that fuzzes bindgen with csmith. I ran it for maybe 1000 iterations and it did not find something wrong. The programs generated by csmith are probably too simple type wise. Here is an example output of what csmith generates: ``` C /* --- Struct/Union Declarations --- */ union U2 { uint64_t f0; const signed f1 : 18; }; union U4 { const volatile signed f0 : 1; volatile int16_t f1; int32_t f2; int8_t * const f3; volatile int64_t f4; }; union U5 { const int8_t * f0; volatile int8_t f1; uint16_t f2; unsigned f3 : 22; }; /* --- GLOBAL VARIABLES --- */ static int8_t g_3[8] = {0x47L,0xE8L,0x47L,0x47L,0xE8L,0x47L,0x47L,0xE8L}; static int32_t g_25 = 0x3421AD7BL; static union U5 g_40 = {0};/* VOLATILE GLOBAL g_40 */ static int32_t g_43[4][3] = {{(-10L),(-10L),(-10L)},{(-10L),(-10L),(-10L)},{(-10L),(-10L),(-10L)},{(-10L),($static int32_t * volatile g_42 = &g_43[0][0];/* VOLATILE GLOBAL g_42 */ static int32_t * volatile g_50 = &g_43[2][0];/* VOLATILE GLOBAL g_50 */ static int32_t g_53 = (-9L); static union U4 g_57 = {0x9C113E7BL};/* VOLATILE GLOBAL g_57 */ /* --- FORWARD DECLARATIONS --- */ static union U4 func_1(void); static int16_t func_4(int32_t p_5); static int32_t func_6(int32_t p_7, union U2 p_8, int8_t * p_9); static int32_t func_10(uint32_t p_11, int8_t * p_12, int8_t * p_13); static int8_t * func_14(int32_t p_15, union U2 p_16); static union U2 func_28(const uint64_t p_29, int8_t * p_30, uint32_t p_31); static union U5 func_34(uint32_t p_35); ```
|
I'm wondering will it be useful to run rustc in check-only mode (as in |
|
Yes, definitely. In fact, we should run the tests, so that we can assert size and alignment. |
In what kind of way would types get more complex anyway? In plain C they usually stay fairly simple. but I did not set them because I would not expect having more "things" is more complex from bindgen's perspective. |
|
I just found a file that makes bindgen say output: |
|
What is the best way to run the tests in the bindgen output? In a full project I would run |
|
I'm not sure whether this is best way, but you can try following command bindgen [header.h] | rustc --test | ./rust_out |
|
Looks like a test fails in the above example as well, so the new logic for checking if bindgen worked correctly would be:
|
|
Just found: #1034 Made a label for all issues we find with C-Smith: Also cleaned up the |
|
Ah, Im currenty changing it to follow the procedure outlined in my previous post, I will see what you changed. |
|
Also, an idea: #1036 |
|
I'm wondering if there is a way to collect all known problems found by C-Smith and don't stop fuzzing if found any of them? 🤔 |
Not sure... maybe we just need to fix all the issues more quickly ;) |
C-Smith generates C programs for fuzzing C compilers. We should create infrastructure (scripts, etc) for running it against bindgen, that we check into tree. And we should run it against bindgen.
We should look into if C-Smith supports things like controlling the kinds of programs it generates. We don't care about functions' bodies generally, and we care a whole lot about different kinds of type definitions.
The text was updated successfully, but these errors were encountered: