mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/third_party/immer/test/flex_vector/fuzzed-2.cpp
Vincent Ambo 1213b086a1 merge(3p/immer): Subtree merge at 'ad3e3556d' as 'third_party/immer' 
Change-Id: I9636a41ad44b4218293833fd3e9456d9b07c731b
2020-07-15 08:23:32 +01:00

188 lines
6.6 KiB
C++
Raw Blame History

//
// immer: immutable data structures for C++
// Copyright (C) 2016, 2017, 2018 Juan Pedro Bolivar Puente
//
// This software is distributed under the Boost Software License, Version 1.0.
// See accompanying file LICENSE or copy at http://boost.org/LICENSE_1_0.txt
//
#include "extra/fuzzer/fuzzer_input.hpp"
#include <array>
#include <catch.hpp>
#include <immer/flex_vector.hpp>
#include <iostream>
#define IMMER_FUZZED_TRACE_ENABLE 0
#if IMMER_FUZZED_TRACE_ENABLE
#define IMMER_FUZZED_TRACE(...) std::cout << __VA_ARGS__ << std::endl;
#else
#define IMMER_FUZZED_TRACE(...)
#endif
namespace {
template <std::size_t VarCount = 2, unsigned Bits = 2>
int run_input(const std::uint8_t* data, std::size_t size)
{
using vector_t =
immer::flex_vector<int, immer::default_memory_policy, Bits, Bits>;
using size_t = std::uint8_t;
auto vars = std::array<vector_t, VarCount>{};
#if IMMER_FUZZED_TRACE_ENABLE
std::cout << "/// new test run" << std::endl;
for (auto i = 0u; i < VarCount; ++i)
std::cout << "auto var" << i << " = vector_t{};" << std::endl;
#endif
auto is_valid_var = [&](auto idx) { return idx >= 0 && idx < VarCount; };
auto is_valid_index = [](auto& v) {
return [&](auto idx) { return idx >= 0 && idx < v.size(); };
};
auto is_valid_size = [](auto& v) {
return [&](auto idx) { return idx >= 0 && idx <= v.size(); };
};
auto can_concat = [](auto&& v1, auto&& v2) {
using size_type = decltype(v1.size());
return v2.size() < (std::numeric_limits<size_type>::max() - v1.size());
};
auto can_insert = [](auto&& v1) {
using size_type = decltype(v1.size());
return v1.size() < std::numeric_limits<size_type>::max();
};
return fuzzer_input{data, size}.run([&](auto& in) {
enum ops
{
op_push_back,
op_update,
op_take,
op_drop,
op_concat,
op_push_back_move,
op_update_move,
op_take_move,
op_drop_move,
};
auto src = read<std::uint8_t>(in, is_valid_var);
auto dst = read<std::uint8_t>(in, is_valid_var);
switch (read<char>(in)) {
case op_push_back:
if (can_insert(vars[src])) {
IMMER_FUZZED_TRACE("var" << +dst << " = var" << +src
<< ".push_back(42);");
vars[dst] = vars[src].push_back(42);
}
break;
case op_update: {
auto idx = read<size_t>(in, is_valid_index(vars[src]));
IMMER_FUZZED_TRACE("var" << +dst << " = var" << +src << ".update("
<< +idx
<< ", [] (auto x) { return x + 1; });");
vars[dst] = vars[src].update(idx, [](auto x) { return x + 1; });
break;
}
case op_take: {
auto idx = read<size_t>(in, is_valid_size(vars[src]));
IMMER_FUZZED_TRACE("var" << +dst << " = var" << +src << ".take("
<< +idx << ");");
vars[dst] = vars[src].take(idx);
break;
}
case op_drop: {
auto idx = read<size_t>(in, is_valid_size(vars[src]));
IMMER_FUZZED_TRACE("var" << +dst << " = var" << +src << ".take("
<< +idx << ");");
vars[dst] = vars[src].drop(idx);
break;
}
case op_concat: {
auto src2 = read<std::uint8_t>(in, is_valid_var);
if (can_concat(vars[src], vars[src2])) {
IMMER_FUZZED_TRACE("var" << +dst << " = var" << +src << " + var"
<< +src2 << ";");
vars[dst] = vars[src] + vars[src2];
}
break;
}
case op_push_back_move: {
if (can_insert(vars[src])) {
IMMER_FUZZED_TRACE("var" << +dst << " = std::move(var" << +src
<< ").push_back(21);");
vars[dst] = std::move(vars[src]).push_back(21);
}
break;
}
case op_update_move: {
auto idx = read<size_t>(in, is_valid_index(vars[src]));
IMMER_FUZZED_TRACE("var" << +dst << " = std::move(var" << +src
<< ").update(" << +idx
<< ", [] (auto x) { return x + 1; });");
vars[dst] =
std::move(vars[src]).update(idx, [](auto x) { return x + 1; });
break;
}
case op_take_move: {
auto idx = read<size_t>(in, is_valid_size(vars[src]));
IMMER_FUZZED_TRACE("var" << +dst << " = std::move(var" << +src
<< ").take(" << +idx << ");");
vars[dst] = std::move(vars[src]).take(idx);
break;
}
case op_drop_move: {
auto idx = read<size_t>(in, is_valid_size(vars[src]));
IMMER_FUZZED_TRACE("var" << +dst << " = std::move(var" << +src
<< ").drop(" << +idx << ");");
vars[dst] = std::move(vars[src]).drop(idx);
break;
}
default:
break;
};
return true;
});
}
} // anonymous namespace
TEST_CASE("bug: use after free on move-take")
{
SECTION("")
{
using vector_t =
immer::flex_vector<int, immer::default_memory_policy, 2, 2>;
auto var0 = vector_t{};
auto var1 = vector_t{};
var0 = var0.push_back(42);
var0 = var0.push_back(42);
var0 = var0.push_back(42);
var0 = var0.push_back(42);
var0 = var0 + var0;
var0 = var0 + var0;
var0 = var0 + var0;
var0 = var0 + var0;
var0 = var0.push_back(42);
var0 = var0.push_back(42);
var0 = var0.push_back(42);
var0 = var0.push_back(42);
var0 = var0.push_back(42);
var1 = var0.push_back(42);
var0 = std::move(var0).take(68);
}
#if __GNUC__ != 9
SECTION("")
{
constexpr std::uint8_t input[] = {
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0,
0x0, 0x40, 0x0, 0x0, 0x0, 0x0, 0x4, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0,
0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0,
0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4,
0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x7, 0x41, 0xb5, 0x0, 0x0,
};
CHECK(run_input(input, sizeof(input)) == 0);
}
#endif
}
Reference in a new issue View git blame Copy permalink