From d356d590524bc4a4653b9cd0ac56deedff5e0eab Mon Sep 17 00:00:00 2001 From: FuzzTest Team Date: Thu, 10 Apr 2025 02:52:15 -0700 Subject: [PATCH] Add flatbuffers enum domain PiperOrigin-RevId: 745943824 --- .github/workflows/cmake_test.yml | 3 + CMakeLists.txt | 1 + MODULE.bazel | 6 +- cmake/BuildDependencies.cmake | 17 + cmake/generate_cmake_from_bazel.py | 1 + domain_tests/BUILD | 16 + domain_tests/CMakeLists.txt | 23 + .../arbitrary_domains_flatbuffers_test.cc | 390 +++++++ e2e_tests/functional_test.cc | 27 + e2e_tests/testdata/BUILD | 2 + e2e_tests/testdata/CMakeLists.txt | 2 + .../fuzz_tests_for_functional_testing.cc | 68 ++ fuzztest/BUILD | 52 + fuzztest/CMakeLists.txt | 95 ++ fuzztest/flatbuffers.h | 19 + fuzztest/internal/domains/arbitrary_impl.h | 4 +- .../domains/flatbuffers_domain_impl.h | 977 ++++++++++++++++++ fuzztest/internal/meta.h | 16 + fuzztest/internal/test_flatbuffers.fbs | 90 ++ 19 files changed, 1806 insertions(+), 3 deletions(-) create mode 100644 domain_tests/arbitrary_domains_flatbuffers_test.cc create mode 100644 fuzztest/flatbuffers.h create mode 100644 fuzztest/internal/domains/flatbuffers_domain_impl.h create mode 100644 fuzztest/internal/test_flatbuffers.fbs diff --git a/.github/workflows/cmake_test.yml b/.github/workflows/cmake_test.yml index d23c692c1..e4a5f4400 100644 --- a/.github/workflows/cmake_test.yml +++ b/.github/workflows/cmake_test.yml @@ -77,6 +77,7 @@ jobs: -D CMAKE_CXX_COMPILER_LAUNCHER=ccache \ -D CMAKE_BUILD_TYPE=RelWithDebug \ -D FUZZTEST_BUILD_TESTING=on \ + -D FUZZTEST_BUILD_FLATBUFFERS=on \ && cmake --build build -j $(nproc) \ && ctest --test-dir build -j $(nproc) --output-on-failure - name: Run all tests in default mode with gcc @@ -90,6 +91,7 @@ jobs: -D CMAKE_CXX_COMPILER_LAUNCHER=ccache \ -D CMAKE_BUILD_TYPE=RelWithDebug \ -D FUZZTEST_BUILD_TESTING=on \ + -D FUZZTEST_BUILD_FLATBUFFERS=on \ && cmake --build build_gcc -j $(nproc) \ && ctest --test-dir build_gcc -j $(nproc) --output-on-failure - name: Run end-to-end tests in fuzzing mode @@ -104,6 +106,7 @@ jobs: -D CMAKE_BUILD_TYPE=RelWithDebug \ -D FUZZTEST_FUZZING_MODE=on \ -D FUZZTEST_BUILD_TESTING=on \ + -D FUZZTEST_BUILD_FLATBUFFERS=on \ && cmake --build build -j $(nproc) \ && ctest --test-dir build -j $(nproc) --output-on-failure -R "functional_test" - name: Save new cache based on main diff --git a/CMakeLists.txt b/CMakeLists.txt index 1e34de3cc..e3803d30f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,6 +2,7 @@ cmake_minimum_required(VERSION 3.19) project(fuzztest) option(FUZZTEST_BUILD_TESTING "Building the tests." OFF) +option(FUZZTEST_BUILD_FLATBUFFERS "Building the flatbuffers support." OFF) option(FUZZTEST_FUZZING_MODE "Building the fuzztest in fuzzing mode." OFF) set(FUZZTEST_COMPATIBILITY_MODE "" CACHE STRING "Compatibility mode. Available options: , libfuzzer") set(CMAKE_CXX_STANDARD 17) diff --git a/MODULE.bazel b/MODULE.bazel index 9fbd47947..28902ac8e 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -42,6 +42,10 @@ bazel_dep( name = "platforms", version = "0.0.10", ) +bazel_dep( + name = "flatbuffers", + version = "25.2.10" +) # GoogleTest is not a dev dependency, because it's needed when FuzzTest is used # with GoogleTest integration (e.g., googletest_adaptor). Note that the FuzzTest # framework can be used without GoogleTest integration as well. @@ -55,8 +59,6 @@ bazel_dep( name = "protobuf", version = "30.2", ) -# TODO(lszekeres): Make this a dev dependency, as the protobuf library is only -# required for testing. bazel_dep( name = "rules_proto", version = "7.1.0", diff --git a/cmake/BuildDependencies.cmake b/cmake/BuildDependencies.cmake index 5214fcefd..2966c0b64 100644 --- a/cmake/BuildDependencies.cmake +++ b/cmake/BuildDependencies.cmake @@ -21,6 +21,9 @@ set(proto_TAG v30.2) set(nlohmann_json_URL https://github.com/nlohmann/json.git) set(nlohmann_json_TAG v3.11.3) +set(flatbuffers_URL https://github.com/google/flatbuffers.git) +set(flatbuffers_TAG v25.2.10) + if(POLICY CMP0135) cmake_policy(SET CMP0135 NEW) set(CMAKE_POLICY_DEFAULT_CMP0135 NEW) @@ -50,6 +53,14 @@ FetchContent_Declare( URL_HASH MD5=${antlr_cpp_MD5} ) +if (FUZZTEST_BUILD_FLATBUFFERS) + FetchContent_Declare( + flatbuffers + GIT_REPOSITORY ${flatbuffers_URL} + GIT_TAG ${flatbuffers_TAG} + ) +endif() + if (FUZZTEST_BUILD_TESTING) FetchContent_Declare( @@ -87,3 +98,9 @@ if (FUZZTEST_BUILD_TESTING) FetchContent_MakeAvailable(nlohmann_json) endif () + +if (FUZZTEST_BUILD_FLATBUFFERS) + set(FLATBUFFERS_BUILD_TESTS OFF) + set(FLATBUFFERS_BUILD_INSTALL OFF) + FetchContent_MakeAvailable(flatbuffers) +endif() diff --git a/cmake/generate_cmake_from_bazel.py b/cmake/generate_cmake_from_bazel.py index 83d31d5dc..0c9079cbf 100755 --- a/cmake/generate_cmake_from_bazel.py +++ b/cmake/generate_cmake_from_bazel.py @@ -52,6 +52,7 @@ "@abseil-cpp//absl/types:optional": "absl::optional", "@abseil-cpp//absl/types:span": "absl::span", "@abseil-cpp//absl/types:variant": "absl::variant", + "@flatbuffers//:runtime_cc": "flatbuffers", "@googletest//:gtest": "GTest::gtest", "@googletest//:gtest_main": "GTest::gmock_main", "@protobuf//:protobuf": "protobuf::libprotobuf", diff --git a/domain_tests/BUILD b/domain_tests/BUILD index 2756234f7..26bbaf21c 100644 --- a/domain_tests/BUILD +++ b/domain_tests/BUILD @@ -37,6 +37,22 @@ cc_test( ], ) +cc_test( + name = "arbitrary_domains_flatbuffers_test", + srcs = ["arbitrary_domains_flatbuffers_test.cc"], + deps = [ + ":domain_testing", + "@abseil-cpp//absl/container:flat_hash_map", + "@abseil-cpp//absl/random", + "@com_google_fuzztest//fuzztest:domain", + "@com_google_fuzztest//fuzztest:flatbuffers", + "@com_google_fuzztest//fuzztest:meta", + "@com_google_fuzztest//fuzztest:test_flatbuffers_cc_fbs", + "@flatbuffers//:runtime_cc", + "@googletest//:gtest_main", + ], +) + cc_test( name = "arbitrary_domains_protobuf_test", srcs = ["arbitrary_domains_protobuf_test.cc"], diff --git a/domain_tests/CMakeLists.txt b/domain_tests/CMakeLists.txt index b7875ebe7..22315ffea 100644 --- a/domain_tests/CMakeLists.txt +++ b/domain_tests/CMakeLists.txt @@ -23,6 +23,29 @@ fuzztest_cc_test( GTest::gmock_main ) +if (FUZZTEST_BUILD_FLATBUFFERS) + fuzztest_cc_test( + NAME + arbitrary_domains_flatbuffers_test + SRCS + "arbitrary_domains_flatbuffers_test.cc" + DEPS + absl::flat_hash_set + absl::random_bit_gen_ref + absl::random_random + absl::strings + flatbuffers + fuzztest::domain + fuzztest::domain_testing + fuzztest::flatbuffers + GTest::gmock_main + test_flatbuffers + ) + add_dependencies(fuzztest_arbitrary_domains_flatbuffers_test + GENERATE_test_flatbuffers + ) +endif() + fuzztest_cc_test( NAME arbitrary_domains_protobuf_test diff --git a/domain_tests/arbitrary_domains_flatbuffers_test.cc b/domain_tests/arbitrary_domains_flatbuffers_test.cc new file mode 100644 index 000000000..80fbb32de --- /dev/null +++ b/domain_tests/arbitrary_domains_flatbuffers_test.cc @@ -0,0 +1,390 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include +#include +#include +#include +#include + +#include "gmock/gmock.h" +#include "gtest/gtest.h" +#include "absl/container/flat_hash_map.h" +#include "absl/random/random.h" +#include "flatbuffers/base.h" +#include "flatbuffers/buffer.h" +#include "flatbuffers/flatbuffer_builder.h" +#include "flatbuffers/string.h" +#include "flatbuffers/vector.h" +#include "./fuzztest/domain.h" +#include "./domain_tests/domain_testing.h" +#include "./fuzztest/flatbuffers.h" +#include "./fuzztest/internal/meta.h" +#include "./fuzztest/internal/test_flatbuffers_generated.h" + +namespace fuzztest { +namespace { + +using ::fuzztest::internal::DefaultTable; +using ::fuzztest::internal::OptionalTable; +using ::fuzztest::internal::RequiredTable; +using ::testing::_; +using ::testing::Each; +using ::testing::HasSubstr; +using ::testing::Pair; + +template +inline bool Eq(T lhs, T rhs) { + static_assert(!std::is_pointer_v, "T cannot be a pointer type"); + return rhs == lhs; +} + +template <> +inline bool Eq(const flatbuffers::String* lhs, + const flatbuffers::String* rhs) { + if (lhs == nullptr && rhs == nullptr) return true; + if (lhs == nullptr || rhs == nullptr) return false; + return lhs->str() == rhs->str(); +} + +template <> +inline bool Eq(const DefaultTable* lhs, + const DefaultTable* rhs) { + if (lhs == nullptr && rhs == nullptr) return true; + if (lhs == nullptr || rhs == nullptr) return false; + bool eq_b = Eq(lhs->b(), rhs->b()); + bool eq_i8 = Eq(lhs->i8(), rhs->i8()); + bool eq_i16 = Eq(lhs->i16(), rhs->i16()); + bool eq_i32 = Eq(lhs->i32(), rhs->i32()); + bool eq_i64 = Eq(lhs->i64(), rhs->i64()); + bool eq_u8 = Eq(lhs->u8(), rhs->u8()); + bool eq_u16 = Eq(lhs->u16(), rhs->u16()); + bool eq_u32 = Eq(lhs->u32(), rhs->u32()); + bool eq_u64 = Eq(lhs->u64(), rhs->u64()); + bool eq_f = Eq(lhs->f(), rhs->f()); + bool eq_d = Eq(lhs->d(), rhs->d()); + bool eq_str = Eq(lhs->str(), rhs->str()); + bool eq_ei8 = Eq(lhs->ei8(), rhs->ei8()); + bool eq_ei16 = Eq(lhs->ei16(), rhs->ei16()); + bool eq_ei32 = Eq(lhs->ei32(), rhs->ei32()); + bool eq_ei64 = Eq(lhs->ei64(), rhs->ei64()); + bool eq_eu8 = Eq(lhs->eu8(), rhs->eu8()); + bool eq_eu16 = Eq(lhs->eu16(), rhs->eu16()); + bool eq_eu32 = Eq(lhs->eu32(), rhs->eu32()); + bool eq_eu64 = Eq(lhs->eu64(), rhs->eu64()); + return eq_b && eq_i8 && eq_i16 && eq_i32 && eq_i64 && eq_u8 && eq_u16 && + eq_u32 && eq_u64 && eq_f && eq_d && eq_str && eq_ei8 && eq_ei16 && + eq_ei32 && eq_ei64 && eq_eu8 && eq_eu16 && eq_eu32 && eq_eu64; +} + +const internal::DefaultTable* CreateDefaultTable( + flatbuffers::FlatBufferBuilder& fbb) { + auto table_offset = + internal::CreateDefaultTableDirect(fbb, + true, // b + 1, // i8 + 2, // i16 + 3, // i32 + 4, // i64 + 5, // u8 + 6, // u16 + 7, // u32 + 8, // u64 + 9.0, // f + 10.0, // d + "foo bar baz", // str + internal::ByteEnum_First, // ei8 + internal::ShortEnum_First, // ei16 + internal::IntEnum_First, // ei32 + internal::LongEnum_First, // ei64 + internal::UByteEnum_First, // eu8 + internal::UShortEnum_First, // eu16 + internal::UIntEnum_First, // eu32 + internal::ULongEnum_First // eu64 + ); + fbb.Finish(table_offset); + return flatbuffers::GetRoot(fbb.GetBufferPointer()); +} + +TEST(FlatbuffersMetaTest, IsFlatbuffersTable) { + static_assert(internal::is_flatbuffers_table_v); + static_assert(!internal::is_flatbuffers_table_v); + static_assert(!internal::is_flatbuffers_table_v>); +} + +TEST(FlatbuffersTableDomainImplTest, DefaultTableValueRoundTrip) { + flatbuffers::FlatBufferBuilder fbb; + auto table = CreateDefaultTable(fbb); + + auto domain = Arbitrary(); + auto corpus = domain.FromValue(table); + ASSERT_TRUE(corpus.has_value()); + ASSERT_OK(domain.ValidateCorpusValue(*corpus)); + + auto ir = domain.SerializeCorpus(corpus.value()); + + auto new_corpus = domain.ParseCorpus(ir); + ASSERT_TRUE(new_corpus.has_value()); + ASSERT_OK(domain.ValidateCorpusValue(*new_corpus)); + + auto new_table = domain.GetValue(*new_corpus); + EXPECT_EQ(new_table->b(), true); + EXPECT_EQ(new_table->i8(), 1); + EXPECT_EQ(new_table->i16(), 2); + EXPECT_EQ(new_table->i32(), 3); + EXPECT_EQ(new_table->i64(), 4); + EXPECT_EQ(new_table->u8(), 5); + EXPECT_EQ(new_table->u16(), 6); + EXPECT_EQ(new_table->u32(), 7); + EXPECT_EQ(new_table->u64(), 8); + EXPECT_EQ(new_table->f(), 9.0); + EXPECT_EQ(new_table->d(), 10.0); + EXPECT_EQ(new_table->str()->str(), "foo bar baz"); + EXPECT_EQ(new_table->ei8(), internal::ByteEnum_First); + EXPECT_EQ(new_table->ei16(), internal::ShortEnum_First); + EXPECT_EQ(new_table->ei32(), internal::IntEnum_First); + EXPECT_EQ(new_table->ei64(), internal::LongEnum_First); + EXPECT_EQ(new_table->eu8(), internal::UByteEnum_First); + EXPECT_EQ(new_table->eu16(), internal::UShortEnum_First); + EXPECT_EQ(new_table->eu32(), internal::UIntEnum_First); + EXPECT_EQ(new_table->eu64(), internal::ULongEnum_First); +} + +TEST(FlatbuffersTableDomainImplTest, InitGeneratesSeeds) { + flatbuffers::FlatBufferBuilder fbb; + auto table = CreateDefaultTable(fbb); + + auto domain = Arbitrary(); + domain.WithSeeds({table}); + + std::vector> values; + absl::BitGen bitgen; + bool is_seed = false; + for (int i = 0; i < 1000; ++i) { + Value value(domain, bitgen); + is_seed |= Eq(value.user_value, table); + if (is_seed) { + break; + } + } + EXPECT_TRUE(is_seed); +} + +TEST(FlatbuffersTableDomainImplTest, EventuallyMutatesAllTableFields) { + absl::flat_hash_map mutated_fields{ + {"b", false}, {"i8", false}, {"i16", false}, {"i32", false}, + {"i64", false}, {"u8", false}, {"u16", false}, {"u32", false}, + {"u64", false}, {"f", false}, {"d", false}, {"str", false}, + {"ei8", false}, {"ei16", false}, {"ei32", false}, {"ei64", false}, + {"eu8", false}, {"eu16", false}, {"eu32", false}, {"eu64", false}, + }; + + auto domain = Arbitrary(); + + absl::BitGen bitgen; + Value initial_val(domain, bitgen); + Value val(initial_val); + + for (size_t i = 0; i < 10'000; ++i) { + val.Mutate(domain, bitgen, {}, false); + const auto& mut = val.user_value; + const auto& init = initial_val.user_value; + + mutated_fields["b"] |= !Eq(mut->b(), init->b()); + mutated_fields["i8"] |= !Eq(mut->i8(), init->i8()); + mutated_fields["i16"] |= !Eq(mut->i16(), init->i16()); + mutated_fields["i32"] |= !Eq(mut->i32(), init->i32()); + mutated_fields["i64"] |= !Eq(mut->i64(), init->i64()); + mutated_fields["u8"] |= !Eq(mut->u8(), init->u8()); + mutated_fields["u16"] |= !Eq(mut->u16(), init->u16()); + mutated_fields["u32"] |= !Eq(mut->u32(), init->u32()); + mutated_fields["u64"] |= !Eq(mut->u64(), init->u64()); + mutated_fields["f"] |= !Eq(mut->f(), init->f()); + mutated_fields["d"] |= !Eq(mut->d(), init->d()); + mutated_fields["str"] |= !Eq(mut->str(), init->str()); + mutated_fields["ei8"] |= !Eq(mut->ei8(), init->ei8()); + mutated_fields["ei16"] |= !Eq(mut->ei16(), init->ei16()); + mutated_fields["ei32"] |= !Eq(mut->ei32(), init->ei32()); + mutated_fields["ei64"] |= !Eq(mut->ei64(), init->ei64()); + mutated_fields["eu8"] |= !Eq(mut->eu8(), init->eu8()); + mutated_fields["eu16"] |= !Eq(mut->eu16(), init->eu16()); + mutated_fields["eu32"] |= !Eq(mut->eu32(), init->eu32()); + mutated_fields["eu64"] |= !Eq(mut->eu64(), init->eu64()); + + bool all_mutated = true; + for (const auto& [name, mutated] : mutated_fields) { + all_mutated &= mutated; + if (!mutated) { + break; + } + } + if (all_mutated) { + break; + } + } + + EXPECT_THAT(mutated_fields, Each(Pair(_, true))); +} + +TEST(FlatbuffersTableDomainImplTest, OptionalTableEventuallyBecomeEmpty) { + flatbuffers::FlatBufferBuilder fbb; + auto table_offset = + internal::CreateOptionalTableDirect(fbb, + true, // b + 1, // i8 + 2, // i16 + 3, // i32 + 4, // i64 + 5, // u8 + 6, // u16 + 7, // u32 + 8, // u64 + 9.0, // f + 10.0, // d + "foo bar baz", // str + internal::ByteEnum_First, // ei8 + internal::ShortEnum_First, // ei16 + internal::IntEnum_First, // ei32 + internal::LongEnum_First, // ei64 + internal::UByteEnum_First, // eu8 + internal::UShortEnum_First, // eu16 + internal::UIntEnum_First, // eu32 + internal::ULongEnum_First // eu64 + ); + fbb.Finish(table_offset); + auto table = flatbuffers::GetRoot(fbb.GetBufferPointer()); + + auto domain = Arbitrary(); + Value val(domain, table); + absl::BitGen bitgen; + + absl::flat_hash_map null_fields{ + {"b", false}, {"i8", false}, {"i16", false}, {"i32", false}, + {"i64", false}, {"u8", false}, {"u16", false}, {"u32", false}, + {"u64", false}, {"f", false}, {"d", false}, {"str", false}, + {"ei8", false}, {"ei16", false}, {"ei32", false}, {"ei64", false}, + {"eu8", false}, {"eu16", false}, {"eu32", false}, {"eu64", false}, + }; + + for (size_t i = 0; i < 100'000; ++i) { + val.Mutate(domain, bitgen, {}, true); + const auto& v = val.user_value; + + null_fields["b"] |= !v->b().has_value(); + null_fields["i8"] |= !v->i8().has_value(); + null_fields["i16"] |= !v->i16().has_value(); + null_fields["i32"] |= !v->i32().has_value(); + null_fields["i64"] |= !v->i64().has_value(); + null_fields["u8"] |= !v->u8().has_value(); + null_fields["u16"] |= !v->u16().has_value(); + null_fields["u32"] |= !v->u32().has_value(); + null_fields["u64"] |= !v->u64().has_value(); + null_fields["f"] |= !v->f().has_value(); + null_fields["d"] |= !v->d().has_value(); + null_fields["str"] |= v->str() == nullptr; + null_fields["ei8"] |= !v->ei8().has_value(); + null_fields["ei16"] |= !v->ei16().has_value(); + null_fields["ei32"] |= !v->ei32().has_value(); + null_fields["ei64"] |= !v->ei64().has_value(); + null_fields["eu8"] |= !v->eu8().has_value(); + null_fields["eu16"] |= !v->eu16().has_value(); + null_fields["eu32"] |= !v->eu32().has_value(); + null_fields["eu64"] |= !v->eu64().has_value(); + + bool all_null = true; + for (const auto& [name, is_null] : null_fields) { + all_null &= is_null; + if (!is_null) { + break; + } + } + if (all_null) { + break; + } + } + + EXPECT_THAT(null_fields, Each(Pair(_, true))); +} + +TEST(FlatbuffersTableDomainImplTest, RequiredTableFieldsAlwaysSet) { + flatbuffers::FlatBufferBuilder fbb; + auto table_offset = internal::CreateRequiredTableDirect(fbb, + "foo bar baz" // str + ); + fbb.Finish(table_offset); + auto table = flatbuffers::GetRoot(fbb.GetBufferPointer()); + + auto domain = Arbitrary(); + Value val(domain, table); + absl::BitGen bitgen; + + absl::flat_hash_map set_fields{{"str", false}}; + + for (size_t i = 0; i < 10'000; ++i) { + val.Mutate(domain, bitgen, {}, true); + const auto& v = val.user_value; + + set_fields["str"] |= v->str() != nullptr; + + bool all_set = true; + for (const auto& [name, is_set] : set_fields) { + all_set &= is_set; + if (!is_set) { + break; + } + } + if (all_set) { + break; + } + } + + EXPECT_THAT(set_fields, Each(Pair(_, true))); +} + +TEST(FlatbuffersTableDomainImplTest, Printer) { + flatbuffers::FlatBufferBuilder fbb; + auto table = CreateDefaultTable(fbb); + auto domain = Arbitrary(); + auto corpus = domain.FromValue(table); + ASSERT_TRUE(corpus.has_value()); + + auto printer = domain.GetPrinter(); + std::string out; + printer.PrintCorpusValue(*corpus, &out, + domain_implementor::PrintMode::kHumanReadable); + + EXPECT_THAT(out, HasSubstr("b: (true)")); + EXPECT_THAT(out, HasSubstr("i8: (1)")); + EXPECT_THAT(out, HasSubstr("i16: (2)")); + EXPECT_THAT(out, HasSubstr("i32: (3)")); + EXPECT_THAT(out, HasSubstr("i64: (4)")); + EXPECT_THAT(out, HasSubstr("u8: (5)")); + EXPECT_THAT(out, HasSubstr("u16: (6)")); + EXPECT_THAT(out, HasSubstr("u32: (7)")); + EXPECT_THAT(out, HasSubstr("u64: (8)")); + EXPECT_THAT(out, HasSubstr("f: (9.f)")); + EXPECT_THAT(out, HasSubstr("d: (10.)")); + EXPECT_THAT(out, HasSubstr("str: (\"foo bar baz\")")); + EXPECT_THAT(out, HasSubstr("ei8: (First)")); + EXPECT_THAT(out, HasSubstr("ei16: (First)")); + EXPECT_THAT(out, HasSubstr("ei32: (First)")); + EXPECT_THAT(out, HasSubstr("ei64: (First)")); + EXPECT_THAT(out, HasSubstr("eu8: (First)")); + EXPECT_THAT(out, HasSubstr("eu16: (First)")); + EXPECT_THAT(out, HasSubstr("eu32: (First)")); + EXPECT_THAT(out, HasSubstr("eu64: (First)")); +} + +} // namespace +} // namespace fuzztest diff --git a/e2e_tests/functional_test.cc b/e2e_tests/functional_test.cc index e26128a5b..6df04f0be 100644 --- a/e2e_tests/functional_test.cc +++ b/e2e_tests/functional_test.cc @@ -1885,6 +1885,33 @@ TEST_P(FuzzingModeCrashFindingTest, ExpectTargetAbort(status, std_err); } +TEST_P(FuzzingModeCrashFindingTest, FlatbuffersFailsWhenFieldsAreNotDefault) { + TempDir out_dir; + auto [status, std_out, std_err] = + Run("MySuite.FlatbuffersFailsWhenFieldsAreNotDefault"); + EXPECT_THAT(std_err, HasSubstr("argument 0: {b: (")); + EXPECT_THAT(std_err, HasSubstr("i8: (")); + EXPECT_THAT(std_err, HasSubstr("i16: (")); + EXPECT_THAT(std_err, HasSubstr("i32: (")); + EXPECT_THAT(std_err, HasSubstr("i64: (")); + EXPECT_THAT(std_err, HasSubstr("u8: (")); + EXPECT_THAT(std_err, HasSubstr("u16: (")); + EXPECT_THAT(std_err, HasSubstr("u32: (")); + EXPECT_THAT(std_err, HasSubstr("u64: (")); + EXPECT_THAT(std_err, HasSubstr("f: (")); + EXPECT_THAT(std_err, HasSubstr("d: (")); + EXPECT_THAT(std_err, HasSubstr("str: ")); + EXPECT_THAT(std_err, HasSubstr("ei8: (")); + EXPECT_THAT(std_err, HasSubstr("ei16: (")); + EXPECT_THAT(std_err, HasSubstr("ei32: (")); + EXPECT_THAT(std_err, HasSubstr("ei64: (")); + EXPECT_THAT(std_err, HasSubstr("eu8: (")); + EXPECT_THAT(std_err, HasSubstr("eu16: (")); + EXPECT_THAT(std_err, HasSubstr("eu32: (")); + EXPECT_THAT(std_err, HasSubstr("eu64: (")); + ExpectTargetAbort(status, std_err); +} + INSTANTIATE_TEST_SUITE_P(FuzzingModeCrashFindingTestWithExecutionModel, FuzzingModeCrashFindingTest, testing::ValuesIn(GetAvailableExecutionModels())); diff --git a/e2e_tests/testdata/BUILD b/e2e_tests/testdata/BUILD index 2d91193b4..478aa4fce 100644 --- a/e2e_tests/testdata/BUILD +++ b/e2e_tests/testdata/BUILD @@ -101,9 +101,11 @@ cc_binary( "@abseil-cpp//absl/time", "@abseil-cpp//absl/types:span", "@com_google_fuzztest//fuzztest", + "@com_google_fuzztest//fuzztest:flatbuffers", "@com_google_fuzztest//fuzztest:fuzztest_gtest_main", "@com_google_fuzztest//fuzztest:googletest_fixture_adapter", "@com_google_fuzztest//fuzztest:logging", + "@com_google_fuzztest//fuzztest:test_flatbuffers_cc_fbs", "@com_google_fuzztest//fuzztest:test_protobuf_cc_proto", "@protobuf", "@re2", diff --git a/e2e_tests/testdata/CMakeLists.txt b/e2e_tests/testdata/CMakeLists.txt index 4fedf2098..0a8eed9e1 100644 --- a/e2e_tests/testdata/CMakeLists.txt +++ b/e2e_tests/testdata/CMakeLists.txt @@ -43,8 +43,10 @@ target_link_libraries( absl::strings absl::time re2::re2 + fuzztest_flatbuffers fuzztest_googletest_fixture_adapter fuzztest_logging + test_flatbuffers ) link_fuzztest(fuzz_tests_for_functional_testing.stripped) set_target_properties( diff --git a/e2e_tests/testdata/fuzz_tests_for_functional_testing.cc b/e2e_tests/testdata/fuzz_tests_for_functional_testing.cc index 804950520..647aacce3 100644 --- a/e2e_tests/testdata/fuzz_tests_for_functional_testing.cc +++ b/e2e_tests/testdata/fuzz_tests_for_functional_testing.cc @@ -30,6 +30,7 @@ #include #include +#include "./fuzztest/flatbuffers.h" // IWYU pragma: keep #include "./fuzztest/fuzztest.h" #include "absl/algorithm/container.h" #include "absl/functional/function_ref.h" @@ -39,6 +40,7 @@ #include "absl/time/clock.h" #include "absl/time/time.h" #include "./fuzztest/internal/logging.h" +#include "./fuzztest/internal/test_flatbuffers_generated.h" #include "./fuzztest/internal/test_protobuf.pb.h" #include "google/protobuf/descriptor.h" #include "google/protobuf/message.h" @@ -56,6 +58,7 @@ using ::fuzztest::StringOf; using ::fuzztest::StructOf; using ::fuzztest::TupleOf; using ::fuzztest::VectorOf; +using ::fuzztest::internal::DefaultTable; using ::fuzztest::internal::ProtoExtender; using ::fuzztest::internal::SingleInt32Field; using ::fuzztest::internal::TestProtobuf; @@ -847,4 +850,69 @@ class FaultySetupTest { }; FUZZ_TEST_F(FaultySetupTest, NoOp); +void FlatbuffersFailsWhenFieldsAreNotDefault(const DefaultTable* table) { + // Abort if any of the fields are not set to their default values. + if (table->b() != false) { + std::abort(); + } + if (table->i8() != 0) { + std::abort(); + } + if (table->i16() != 0) { + std::abort(); + } + if (table->i32() != 0) { + std::abort(); + } + if (table->i64() != 0) { + std::abort(); + } + if (table->u8() != 0) { + std::abort(); + } + if (table->u16() != 0) { + std::abort(); + } + if (table->u32() != 0) { + std::abort(); + } + if (table->u64() != 0) { + std::abort(); + } + if (table->f() != 0.0f) { + std::abort(); + } + if (table->d() != 0.0) { + std::abort(); + } + if (table->str() != nullptr) { + std::abort(); + } + if (table->ei8() != fuzztest::internal::ByteEnum_First) { + std::abort(); + } + if (table->ei16() != fuzztest::internal::ShortEnum_First) { + std::abort(); + } + if (table->ei32() != fuzztest::internal::IntEnum_First) { + std::abort(); + } + if (table->ei64() != fuzztest::internal::LongEnum_First) { + std::abort(); + } + if (table->eu8() != fuzztest::internal::UByteEnum_First) { + std::abort(); + } + if (table->eu16() != fuzztest::internal::UShortEnum_First) { + std::abort(); + } + if (table->eu32() != fuzztest::internal::UIntEnum_First) { + std::abort(); + } + if (table->eu64() != fuzztest::internal::ULongEnum_First) { + std::abort(); + } +} +FUZZ_TEST(MySuite, FlatbuffersFailsWhenFieldsAreNotDefault) + .WithDomains(Arbitrary()); } // namespace diff --git a/fuzztest/BUILD b/fuzztest/BUILD index df77213ea..e7f33bd2f 100644 --- a/fuzztest/BUILD +++ b/fuzztest/BUILD @@ -349,6 +349,7 @@ cc_library( ":serialization", ":status", ":type_support", + "@abseil-cpp//absl/algorithm:container", "@abseil-cpp//absl/base:core_headers", "@abseil-cpp//absl/base:no_destructor", "@abseil-cpp//absl/container:flat_hash_map", @@ -452,6 +453,35 @@ cc_library( ], ) +cc_library( + name = "flatbuffers", + srcs = ["internal/domains/flatbuffers_domain_impl.h"], + hdrs = ["flatbuffers.h"], + deps = [ + ":any", + ":domain_core", + ":logging", + ":meta", + ":serialization", + ":status", + ":type_support", + "@abseil-cpp//absl/algorithm:container", + "@abseil-cpp//absl/base:core_headers", + "@abseil-cpp//absl/base:nullability", + "@abseil-cpp//absl/container:flat_hash_map", + "@abseil-cpp//absl/container:flat_hash_set", + "@abseil-cpp//absl/random", + "@abseil-cpp//absl/random:bit_gen_ref", + "@abseil-cpp//absl/random:distributions", + "@abseil-cpp//absl/status", + "@abseil-cpp//absl/status:statusor", + "@abseil-cpp//absl/strings", + "@abseil-cpp//absl/strings:str_format", + "@abseil-cpp//absl/synchronization", + "@flatbuffers//:runtime_cc", + ], +) + cc_library( name = "fixture_driver", srcs = ["internal/fixture_driver.cc"], @@ -831,6 +861,28 @@ cc_proto_library( deps = [":test_protobuf"], ) +# Derived from @flatbuffers//build_defs.bzl:flatbuffer_cc_library but allows output prefix for +# single source target and to have embedded schema file in the outputs. +genrule( + name = "test_flatbuffers_fbs", + srcs = ["internal/test_flatbuffers.fbs"], + outs = [ + "internal/test_flatbuffers_bfbs_generated.h", + "internal/test_flatbuffers_generated.h", + ], + cmd = "$(location @flatbuffers//:flatc) -c -o $(@D)/internal --bfbs-gen-embed --gen-name-strings $(SRCS)", + message = "Generating flatbuffer files for test_flatbuffers_fbs", + tools = ["@flatbuffers//:flatc"], +) + +cc_library( + name = "test_flatbuffers_cc_fbs", + srcs = [":test_flatbuffers_fbs"], + hdrs = [":test_flatbuffers_fbs"], + features = ["-parse_headers"], + deps = ["@flatbuffers//:runtime_cc"], +) + cc_library( name = "type_support", srcs = ["internal/type_support.cc"], diff --git a/fuzztest/CMakeLists.txt b/fuzztest/CMakeLists.txt index 64655c605..243075df8 100644 --- a/fuzztest/CMakeLists.txt +++ b/fuzztest/CMakeLists.txt @@ -56,6 +56,37 @@ fuzztest_cc_library( fuzztest::fuzztest_macros ) +if (FUZZTEST_BUILD_FLATBUFFERS) + fuzztest_cc_library( + NAME + flatbuffers + HDRS + "flatbuffers.h" + DEPS + absl::algorithm_container + absl::core_headers + absl::flat_hash_map + absl::flat_hash_set + absl::nullability + absl::random_bit_gen_ref + absl::random_distributions + absl::random_random + absl::status + absl::statusor + absl::str_format + absl::strings + absl::synchronization + flatbuffers + fuzztest::any + fuzztest::domain_core + fuzztest::logging + fuzztest::meta + fuzztest::serialization + fuzztest::status + fuzztest::type_support + ) +endif() + fuzztest_cc_library( NAME fuzztest_macros @@ -830,6 +861,70 @@ if (FUZZTEST_BUILD_TESTING) "${CMAKE_CURRENT_BINARY_DIR}/.." ) + if (FUZZTEST_BUILD_FLATBUFFERS) + # Generate test flatbuffers + include_directories(${FLATBUFFERS_INCLUDE_DIR}) + set(FBS_SCHEMA_FILE "${CMAKE_CURRENT_LIST_DIR}/internal/test_flatbuffers.fbs") + set(FLATC_FLAGS "--bfbs-gen-embed" "--gen-name-strings") + + # Modified version of `flatbuffers_generate_headers` + # from https://github.com/google/flatbuffers/blob/master/CMake/BuildFlatBuffers.cmake + # Supports using an output prefix for single file header generation as well + # as the embedded schema header in the output set. + add_custom_command( + OUTPUT + "internal/test_flatbuffers_bfbs_generated.h" + "internal/test_flatbuffers_generated.h" + COMMAND + $ + -o "${CMAKE_CURRENT_BINARY_DIR}/internal" + -c + ${FBS_SCHEMA_FILE} + ${FLATC_FLAGS} + DEPENDS + flatc + ${FBS_SCHEMA_FILE} + WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}" + COMMENT "Building ${FBS_SCHEMA_FILE} flatbuffers..." + ) + + # Create an additional target as add_custom_command scope is only within + # same directory (CMakeFile.txt) + add_custom_target( + GENERATE_test_flatbuffers ALL + DEPENDS + "internal/test_flatbuffers_bfbs_generated.h" + "internal/test_flatbuffers_generated.h" + COMMENT "Generating flatbuffer target test_flatbuffers" + ) + + # Set up interface library + add_library(test_flatbuffers INTERFACE) + add_dependencies( + test_flatbuffers + flatc + ${FBS_SCHEMA_FILE} + ) + target_include_directories( + test_flatbuffers + INTERFACE "${CMAKE_CURRENT_BINARY_DIR}/internal" + ) + + # Organize file layout for IDEs. + source_group( + TREE "${CMAKE_CURRENT_BINARY_DIR}/internal" + PREFIX "Flatbuffers/Generated/Headers Files" + FILES + "${CMAKE_CURRENT_BINARY_DIR}/internal/test_flatbuffers_bfbs_generated.h" + "${CMAKE_CURRENT_BINARY_DIR}/internal/test_flatbuffers_generated.h" + ) + source_group( + TREE "${CMAKE_CURRENT_SOURCE_DIR}/internal" + PREFIX "Flatbuffers/Schemas" + FILES ${FBS_SCHEMA_FILE} + ) + endif() + endif () fuzztest_cc_library( diff --git a/fuzztest/flatbuffers.h b/fuzztest/flatbuffers.h new file mode 100644 index 000000000..b70ed361b --- /dev/null +++ b/fuzztest/flatbuffers.h @@ -0,0 +1,19 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef FUZZTEST_FUZZTEST_FLATBUFFERS_H_ +#define FUZZTEST_FUZZTEST_FLATBUFFERS_H_ + +#include "./fuzztest/internal/domains/flatbuffers_domain_impl.h" // IWYU pragma: export +#endif // FUZZTEST_FUZZTEST_FLATBUFFERS_H_ diff --git a/fuzztest/internal/domains/arbitrary_impl.h b/fuzztest/internal/domains/arbitrary_impl.h index d151d50ed..f6b170258 100644 --- a/fuzztest/internal/domains/arbitrary_impl.h +++ b/fuzztest/internal/domains/arbitrary_impl.h @@ -458,7 +458,9 @@ class ArbitraryImpl< // Monostates have their own domain. !is_monostate_v && // std::array uses the Tuple domain. - !is_array_v>> + !is_array_v && + // Flatbuffers tables have their own domain. + !is_flatbuffers_table_v>> : public decltype(DetectAggregateOfImpl()) {}; // Arbitrary for std::pair. diff --git a/fuzztest/internal/domains/flatbuffers_domain_impl.h b/fuzztest/internal/domains/flatbuffers_domain_impl.h new file mode 100644 index 000000000..f6962333e --- /dev/null +++ b/fuzztest/internal/domains/flatbuffers_domain_impl.h @@ -0,0 +1,977 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef FUZZTEST_FUZZTEST_INTERNAL_DOMAINS_FLATBUFFERS_DOMAIN_IMPL_H_ +#define FUZZTEST_FUZZTEST_INTERNAL_DOMAINS_FLATBUFFERS_DOMAIN_IMPL_H_ + +#include +#include +#include +#include +#include +#include +#include + +#include "absl/algorithm/container.h" +#include "absl/base/nullability.h" +#include "absl/base/thread_annotations.h" +#include "absl/container/flat_hash_map.h" +#include "absl/random/bit_gen_ref.h" +#include "absl/random/distributions.h" +#include "absl/status/status.h" +#include "absl/strings/str_cat.h" +#include "absl/strings/str_format.h" +#include "absl/synchronization/mutex.h" +#include "flatbuffers/base.h" +#include "flatbuffers/flatbuffer_builder.h" +#include "flatbuffers/reflection.h" +#include "flatbuffers/reflection_generated.h" +#include "flatbuffers/string.h" +#include "flatbuffers/table.h" +#include "flatbuffers/verifier.h" +#include "./fuzztest/domain_core.h" +#include "./fuzztest/internal/any.h" +#include "./fuzztest/internal/domains/arbitrary_impl.h" +#include "./fuzztest/internal/domains/domain_base.h" +#include "./fuzztest/internal/domains/domain_type_erasure.h" +#include "./fuzztest/internal/domains/element_of_impl.h" +#include "./fuzztest/internal/logging.h" +#include "./fuzztest/internal/meta.h" +#include "./fuzztest/internal/serialization.h" +#include "./fuzztest/internal/status.h" + +namespace fuzztest::internal { + +template && + !std::is_same_v>> + +// +// Flatbuffers enum detection. +// +struct FlatbuffersEnumTag { + using type = Underlying; +}; + +template +struct is_flatbuffers_enum_tag : std::false_type {}; + +template +struct is_flatbuffers_enum_tag> + : std::true_type {}; + +template +inline constexpr bool is_flatbuffers_enum_tag_v = + is_flatbuffers_enum_tag::value; + +struct FlatbuffersArrayTag; +struct FlatbuffersObjTag; +struct FlatbuffersUnionTag; +struct FlatbuffersVectorTag; + +// Dynamic to static dispatch visitor pattern. +template +auto VisitFlatbufferField(const Field* absl_nonnull field, Visitor visitor) { + auto field_index = field->type()->index(); + switch (field->type()->base_type()) { + case reflection::BaseType::Bool: + visitor.template Visit(field); + break; + case reflection::BaseType::Byte: + if (field_index >= 0) { + visitor.template Visit>(field); + } else { + visitor.template Visit(field); + } + break; + case reflection::BaseType::Short: + if (field_index >= 0) { + visitor.template Visit>(field); + } else { + visitor.template Visit(field); + } + break; + case reflection::BaseType::Int: + if (field_index >= 0) { + visitor.template Visit>(field); + } else { + visitor.template Visit(field); + } + break; + case reflection::BaseType::Long: + if (field_index >= 0) { + visitor.template Visit>(field); + } else { + visitor.template Visit(field); + } + break; + case reflection::BaseType::UByte: + if (field_index >= 0) { + visitor.template Visit>(field); + } else { + visitor.template Visit(field); + } + break; + case reflection::BaseType::UShort: + if (field_index >= 0) { + visitor.template Visit>(field); + } else { + visitor.template Visit(field); + } + break; + case reflection::BaseType::UInt: + if (field_index >= 0) { + visitor.template Visit>(field); + } else { + visitor.template Visit(field); + } + break; + case reflection::BaseType::ULong: + if (field_index >= 0) { + visitor.template Visit>(field); + } else { + visitor.template Visit(field); + } + break; + case reflection::BaseType::Float: + visitor.template Visit(field); + break; + case reflection::BaseType::Double: + visitor.template Visit(field); + break; + case reflection::BaseType::String: + visitor.template Visit(field); + break; + case reflection::BaseType::Vector: + case reflection::BaseType::Vector64: + visitor.template Visit(field); + break; + case reflection::BaseType::Array: + visitor.template Visit(field); + break; + case reflection::BaseType::Obj: + visitor.template Visit(field); + break; + case reflection::BaseType::Union: + visitor.template Visit(field); + break; + default: + FUZZTEST_INTERNAL_CHECK(false, "Unsupported base type"); + } +} + +// Flatbuffers enum domain implementation. +template +class FlatbuffersEnumDomainImpl + : public domain_implementor::DomainBase< + // Derived, for CRTP needs. See DomainBase for more details. + FlatbuffersEnumDomainImpl, + // ValueType - user facing type + Underlaying, + // CorpusType - internal representation of ValueType + ElementOfImplCorpusType> { + public: + using typename FlatbuffersEnumDomainImpl::DomainBase::corpus_type; + using typename FlatbuffersEnumDomainImpl::DomainBase::value_type; + + explicit FlatbuffersEnumDomainImpl(const reflection::Enum* enum_def) + : enum_def_(enum_def), inner_(GetEnumValues(enum_def)) {} + + corpus_type Init(absl::BitGenRef prng) { + if (auto seed = this->MaybeGetRandomSeed(prng)) return *seed; + return inner_.Init(prng); + } + + void Mutate(corpus_type& val, absl::BitGenRef prng, + const domain_implementor::MutationMetadata& metadata, + bool only_shrink) { + inner_.Mutate(val, prng, metadata, only_shrink); + } + + value_type GetValue(corpus_type value) const { + return inner_.GetValue(value); + } + + std::optional FromValue(const value_type& v) const { + return inner_.FromValue(v); + } + + std::optional ParseCorpus(const IRObject& obj) const { + return inner_.ParseCorpus(obj); + } + + IRObject SerializeCorpus(const corpus_type& v) const { + return inner_.SerializeCorpus(v); + } + + absl::Status ValidateCorpusValue(const corpus_type& corpus_value) const { + return inner_.ValidateCorpusValue(corpus_value); + } + + auto GetPrinter() const { return Printer{*this}; } + + private: + const reflection::Enum* enum_def_; + ElementOfImpl inner_; + + static std::vector GetEnumValues( + const reflection::Enum* enum_def) { + std::vector values; + values.reserve(enum_def->values()->size()); + for (const auto* value : *enum_def->values()) { + values.push_back(value->value()); + } + return values; + } + + struct Printer { + const FlatbuffersEnumDomainImpl& self; + void PrintCorpusValue(const corpus_type& value, + domain_implementor::RawSink out, + domain_implementor::PrintMode mode) const { + if (mode == domain_implementor::PrintMode::kHumanReadable) { + auto user_value = self.GetValue(value); + absl::Format( + out, "%s", + self.enum_def_->values()->LookupByKey(user_value)->name()->str()); + } else { + absl::Format(out, "%d", value); + } + } + }; +}; + +// Domain implementation for flatbuffers untyped tables. +// The corpus type is a map of field ids to field values. +class FlatbuffersTableUntypedDomainImpl + : public fuzztest::domain_implementor::DomainBase< + // Derived, for CRTP needs. See DomainBase for more details. + FlatbuffersTableUntypedDomainImpl, + // ValueType - user facing type + const flatbuffers::Table* absl_nonnull, + // CorpusType - internal representation of ValueType, + // a map of field ids to field values. + absl::flat_hash_map< + // a.k.a. uint16_t + decltype(static_cast(nullptr)->id()), + // Fancy wrapper around `void*`: knows about the exact type of + // stored value and can copy it using exact type copy constructor + // via `CopyFrom` method. + fuzztest::GenericDomainCorpusType>> { + public: + using typename FlatbuffersTableUntypedDomainImpl::DomainBase::corpus_type; + using typename FlatbuffersTableUntypedDomainImpl::DomainBase::value_type; + using FieldIdT = typename corpus_type::key_type; + + explicit FlatbuffersTableUntypedDomainImpl( + const reflection::Schema* schema, const reflection::Object* table_object) + : schema_(schema), table_object_(table_object) {} + + FlatbuffersTableUntypedDomainImpl( + const FlatbuffersTableUntypedDomainImpl& other) + : schema_(other.schema_), table_object_(other.table_object_) { + absl::MutexLock l_other(&other.mutex_); + absl::MutexLock l_this(&mutex_); + domains_ = other.domains_; + } + + FlatbuffersTableUntypedDomainImpl& operator=( + const FlatbuffersTableUntypedDomainImpl& other) { + schema_ = other.schema_; + table_object_ = other.table_object_; + absl::MutexLock l_other(&other.mutex_); + absl::MutexLock l_this(&mutex_); + domains_ = other.domains_; + return *this; + } + + FlatbuffersTableUntypedDomainImpl(FlatbuffersTableUntypedDomainImpl&& other) + : schema_(other.schema_), table_object_(other.table_object_) { + absl::MutexLock l_other(&other.mutex_); + absl::MutexLock l_this(&mutex_); + domains_ = std::move(other.domains_); + } + + FlatbuffersTableUntypedDomainImpl& operator=( + FlatbuffersTableUntypedDomainImpl&& other) { + schema_ = other.schema_; + table_object_ = other.table_object_; + absl::MutexLock l_other(&other.mutex_); + absl::MutexLock l_this(&mutex_); + domains_ = std::move(other.domains_); + return *this; + } + + // Initializes the corpus value. + corpus_type Init(absl::BitGenRef prng) { + if (auto seed = this->MaybeGetRandomSeed(prng)) { + return *seed; + } + corpus_type val; + for (const auto* field : *table_object_->fields()) { + VisitFlatbufferField(field, InitializeVisitor{*this, prng, val}); + } + return val; + } + + // Mutates the corpus value. + void Mutate(corpus_type& val, absl::BitGenRef prng, + const domain_implementor::MutationMetadata& metadata, + bool only_shrink) { + auto total_weight = CountNumberOfFields(val); + auto selected_weight = + absl::Uniform(absl::IntervalClosedClosed, prng, 0ul, total_weight - 1); + + MutateSelectedField(val, prng, metadata, only_shrink, selected_weight); + } + + // Returns the domain for the given field. + template + auto GetDomainForField(const reflection::Field* field) const { + if constexpr (std::is_same_v) { + FUZZTEST_INTERNAL_CHECK( + false, "Arrays in tables are not supported in flatbuffers."); + // Return a placeholder domain to make the compiler happy. + return Domain>{Arbitrary>()}; + } else if constexpr (is_flatbuffers_enum_tag_v) { + auto enum_object = schema_->enums()->Get(field->type()->index()); + auto domain = + OptionalOf(FlatbuffersEnumDomainImpl(enum_object)); + if (!field->optional()) { + domain.SetWithoutNull(); + } + return Domain>{domain}; + } else if constexpr (std::is_same_v) { + // TODO(b/399123660): Implement this. + return Domain>(OptionalOf(ArbitraryImpl())); + } else if constexpr (std::is_same_v) { + // TODO(b/399123660): Implement this. + return Domain>(OptionalOf(ArbitraryImpl())); + } else if constexpr (std::is_same_v) { + // TODO(b/399123660): Implement this. + return Domain>(OptionalOf(ArbitraryImpl())); + } else { + auto inner = OptionalOf(ArbitraryImpl()); + if (!field->optional()) { + inner.SetWithoutNull(); + } + return Domain>{inner}; + } + } + + // Returns the domain for the given field. + // The domain is cached, and the same instance is returned for the same field. + template + auto& GetSubDomain(const reflection::Field* field) const { + using DomainT = decltype(GetDomainForField(field)); + // Do the operation under a lock to prevent race conditions in `const` + // methods. + absl::MutexLock l(&mutex_); + auto it = domains_.find(field->id()); + if (it == domains_.end()) { + it = domains_ + .try_emplace(field->id(), std::in_place_type, + GetDomainForField(field)) + .first; + } + return it->second.template GetAs(); + } + + // Counts the number of fields that can be mutated. + uint64_t CountNumberOfFields(corpus_type& val) { + uint64_t total_weight = 0; + for (const auto* field : *table_object_->fields()) { + reflection::BaseType base_type = field->type()->base_type(); + if (flatbuffers::IsScalar(base_type)) { + ++total_weight; + } else if (base_type == reflection::BaseType::String) { + ++total_weight; + } + } + return total_weight; + } + + // Mutates the selected field. + // The selected field index is based on the flattened tree. + uint64_t MutateSelectedField( + corpus_type& val, absl::BitGenRef prng, + const domain_implementor::MutationMetadata& metadata, bool only_shrink, + uint64_t selected_field_index) { + uint64_t field_counter = 0; + for (const auto* field : *table_object_->fields()) { + ++field_counter; + + if (field_counter == selected_field_index + 1) { + VisitFlatbufferField( + field, MutateVisitor{*this, prng, metadata, only_shrink, val}); + return field_counter; + } + + if (field_counter > selected_field_index) { + return field_counter; + } + } + return field_counter; + } + + auto GetPrinter() const { return Printer{*this}; } + + absl::Status ValidateCorpusValue(const corpus_type& corpus_value) const { + for (const auto& [id, field_corpus] : corpus_value) { + const reflection::Field* absl_nullable field = GetFieldById(id); + if (field == nullptr) continue; + absl::Status result; + VisitFlatbufferField(field, ValidateVisitor{*this, field_corpus, result}); + if (!result.ok()) return result; + } + return absl::OkStatus(); + } + + value_type GetValue(const corpus_type& value) const { + FUZZTEST_INTERNAL_CHECK(false, + "GetValue is not supported for flatbuffers."); + // Untyped domain does not support GetValue since if it is a nested table it + // would need the top level table corpus value to be able to build it. + return nullptr; + } + + // Converts the table pointer to a corpus value. + std::optional FromValue(const value_type& value) const { + if (value == nullptr) { + return std::nullopt; + } + corpus_type ret; + for (const auto* field : *table_object_->fields()) { + VisitFlatbufferField(field, FromValueVisitor{*this, value, ret}); + } + return ret; + } + + // Converts the IRObject to a corpus value. + std::optional ParseCorpus(const IRObject& obj) const { + corpus_type out; + auto subs = obj.Subs(); + if (!subs) { + return std::nullopt; + } + // Follows the structure created by `SerializeCorpus` to deserialize the + // IRObject. + + // subs->size() represents the number of fields in the table. + out.reserve(subs->size()); + for (const auto& sub : *subs) { + auto pair_subs = sub.Subs(); + // Each field is represented by a pair of field id and the serialized + // corpus value. + if (!pair_subs || pair_subs->size() != 2) { + return std::nullopt; + } + + // Deserialize the field id. + auto id = (*pair_subs)[0].GetScalar(); + if (!id.has_value()) { + return std::nullopt; + } + + // Get information about the field from reflection. + const reflection::Field* absl_nullable field = GetFieldById(id.value()); + if (field == nullptr) { + return std::nullopt; + } + + // Deserialize the field corpus value. + std::optional inner_parsed; + VisitFlatbufferField(field, + ParseVisitor{*this, (*pair_subs)[1], inner_parsed}); + if (!inner_parsed) { + return std::nullopt; + } + out[id.value()] = *std::move(inner_parsed); + } + return out; + } + + // Converts the corpus value to an IRObject. + IRObject SerializeCorpus(const corpus_type& value) const { + IRObject out; + auto& subs = out.MutableSubs(); + subs.reserve(value.size()); + + // Each field is represented by a pair of field id and the serialized + // corpus value. + for (const auto& [id, field_corpus] : value) { + // Get information about the field from reflection. + const reflection::Field* absl_nullable field = GetFieldById(id); + if (field == nullptr) { + continue; + } + IRObject& pair = subs.emplace_back(); + auto& pair_subs = pair.MutableSubs(); + pair_subs.reserve(2); + + // Serialize the field id. + pair_subs.emplace_back(field->id()); + + // Serialize the field corpus value. + VisitFlatbufferField(field, SerializeVisitor{*this, field_corpus, + pair_subs.emplace_back()}); + } + return out; + } + + uint32_t BuildTable(const corpus_type& value, + flatbuffers::FlatBufferBuilder& builder) const { + // Add all the fields to the builder. + + // Offsets is the map of field id to its offset in the table. + absl::flat_hash_map offsets; + + // Some fields are stored inline in the flatbuffer table itself (a.k.a + // "inline fields") and some are referenced by their offsets (a.k.a. "out of + // line fields"). + // + // "Out of line fields" shall be added to the builder first, so that we can + // refer to them in the final table. + for (const auto& [id, field_corpus] : value) { + const reflection::Field* absl_nullable field = GetFieldById(id); + if (field == nullptr) { + continue; + } + // Take care of strings, and tables. + VisitFlatbufferField(field, TableFieldBuilderVisitor{ + *this, builder, offsets, field_corpus}); + } + + // Now it is time to build the final table. + uint32_t table_start = builder.StartTable(); + for (const auto& [id, field_corpus] : value) { + const reflection::Field* absl_nullable field = GetFieldById(id); + if (field == nullptr) { + continue; + } + + // Visit all fields. + // + // Inline fields will be stored in the table itself, out of line fields + // will be referenced by their offsets. + VisitFlatbufferField( + field, TableBuilderVisitor{*this, builder, offsets, field_corpus}); + } + return builder.EndTable(table_start); + } + + private: + const reflection::Schema* absl_nonnull schema_; + const reflection::Object* absl_nonnull table_object_; + mutable absl::Mutex mutex_; + mutable absl::flat_hash_map domains_ + ABSL_GUARDED_BY(mutex_); + + const reflection::Field* absl_nullable GetFieldById(FieldIdT id) const { + const auto it = + absl::c_find_if(*table_object_->fields(), + [id](const auto* field) { return field->id() == id; }); + return it != table_object_->fields()->end() ? *it : nullptr; + } + + struct SerializeVisitor { + const FlatbuffersTableUntypedDomainImpl& self; + const GenericDomainCorpusType& corpus_value; + IRObject& out; + + template + void Visit(const reflection::Field* absl_nonnull field) { + out = self.GetSubDomain(field).SerializeCorpus(corpus_value); + } + }; + + struct FromValueVisitor { + const FlatbuffersTableUntypedDomainImpl& self; + value_type value; + corpus_type& out; + + template + void Visit(const reflection::Field* absl_nonnull field) const { + [[maybe_unused]] + reflection::BaseType base_type = field->type()->base_type(); + auto& domain = self.GetSubDomain(field); + value_type_t> inner_value; + + if constexpr (is_flatbuffers_enum_tag_v) { + FUZZTEST_INTERNAL_CHECK(base_type >= reflection::BaseType::Byte && + base_type <= reflection::BaseType::ULong, + "Field must be an enum type."); + if (field->optional() && !value->CheckField(field->offset())) { + inner_value = std::nullopt; + } else { + inner_value = std::optional(value->GetField( + field->offset(), field->default_integer())); + } + } else if constexpr (std::is_integral_v) { + FUZZTEST_INTERNAL_CHECK(base_type >= reflection::BaseType::Bool && + base_type <= reflection::BaseType::ULong, + "Field must be an integer type."); + if (field->optional() && !value->CheckField(field->offset())) { + inner_value = std::nullopt; + } else { + inner_value = std::optional( + value->GetField(field->offset(), field->default_integer())); + } + } else if constexpr (std::is_floating_point_v) { + FUZZTEST_INTERNAL_CHECK(base_type >= reflection::BaseType::Float && + base_type <= reflection::BaseType::Double, + "Field must be a floating point type."); + if (field->optional() && !value->CheckField(field->offset())) { + inner_value = std::nullopt; + } else { + inner_value = std::optional( + value->GetField(field->offset(), field->default_real())); + } + } else if constexpr (std::is_same_v) { + FUZZTEST_INTERNAL_CHECK(base_type == reflection::BaseType::String, + "Field must be a string type."); + if (!value->CheckField(field->offset())) { + inner_value = std::nullopt; + } else { + inner_value = std::optional( + value->GetPointer(field->offset())->str()); + } + } + + auto inner = domain.FromValue(inner_value); + if (inner) { + out[field->id()] = *std::move(inner); + } + }; + }; + + // Create out-of-line table fields, see `BuildTable` for details. + struct TableFieldBuilderVisitor { + const FlatbuffersTableUntypedDomainImpl& self; + flatbuffers::FlatBufferBuilder& builder; + absl::flat_hash_map& offsets; + const typename corpus_type::value_type::second_type& corpus_value; + + template + void Visit(const reflection::Field* absl_nonnull field) const { + if constexpr (std::is_same_v) { + auto& domain = self.GetSubDomain(field); + auto user_value = domain.GetValue(corpus_value); + if (user_value.has_value()) { + auto offset = + builder.CreateString(user_value->data(), user_value->size()).o; + offsets.insert({field->id(), offset}); + } + } + } + }; + + // Create complete table: store "inline fields" values inline, and store just + // offsets for "out-of-line fields". See `BuildTable` for details. + struct TableBuilderVisitor { + const FlatbuffersTableUntypedDomainImpl& self; + flatbuffers::FlatBufferBuilder& builder; + const absl::flat_hash_map& offsets; + const typename corpus_type::value_type::second_type& corpus_value; + + template + void Visit(const reflection::Field* absl_nonnull field) const { + auto size = flatbuffers::GetTypeSize(field->type()->base_type()); + if constexpr (std::is_integral_v || std::is_floating_point_v || + is_flatbuffers_enum_tag_v) { + auto& domain = self.GetSubDomain(field); + auto v = domain.GetValue(corpus_value); + if (!v) { + return; + } + // Store "inline field" value inline. + builder.Align(size); + builder.PushBytes(reinterpret_cast(&v), size); + builder.TrackField(field->offset(), builder.GetSize()); + } else if constexpr (std::is_same_v) { + // "Out-of-line field". Store just offset. + if (auto it = offsets.find(field->id()); it != offsets.end()) { + builder.AddOffset( + field->offset(), + flatbuffers::Offset(it->second)); + } + } + } + }; + + struct ParseVisitor { + const FlatbuffersTableUntypedDomainImpl& self; + const IRObject& obj; + std::optional& out; + + template + void Visit(const reflection::Field* absl_nonnull field) { + out = self.GetSubDomain(field).ParseCorpus(obj); + } + }; + + struct ValidateVisitor { + const FlatbuffersTableUntypedDomainImpl& self; + const GenericDomainCorpusType& corpus_value; + absl::Status& out; + + template + void Visit(const reflection::Field* absl_nonnull field) { + auto& domain = self.GetSubDomain(field); + out = domain.ValidateCorpusValue(corpus_value); + if (!out.ok()) { + out = Prefix(out, absl::StrCat("Invalid value for field ", + field->name()->str())); + } + } + }; + + struct InitializeVisitor { + FlatbuffersTableUntypedDomainImpl& self; + absl::BitGenRef prng; + corpus_type& val; + + template + void Visit(const reflection::Field* absl_nonnull field) { + auto& domain = self.GetSubDomain(field); + val[field->id()] = domain.Init(prng); + } + }; + + struct MutateVisitor { + FlatbuffersTableUntypedDomainImpl& self; + absl::BitGenRef prng; + const domain_implementor::MutationMetadata& metadata; + bool only_shrink; + corpus_type& val; + + template + void Visit(const reflection::Field* absl_nonnull field) { + auto& domain = self.GetSubDomain(field); + if (auto it = val.find(field->id()); it != val.end()) { + domain.Mutate(it->second, prng, metadata, only_shrink); + } else if (!only_shrink) { + val[field->id()] = domain.Init(prng); + } + } + }; + + struct Printer { + const FlatbuffersTableUntypedDomainImpl& self; + + void PrintCorpusValue(const corpus_type& value, + domain_implementor::RawSink out, + domain_implementor::PrintMode mode) const { + std::vector field_ids; + for (const auto& [id, _] : value) { + field_ids.push_back(id); + } + // Sort the field ids to make the output deterministic. + std::sort(field_ids.begin(), field_ids.end()); + + absl::Format(out, "{"); + bool first = true; + for (const auto id : field_ids) { + if (!first) { + absl::Format(out, ", "); + } + const reflection::Field* absl_nullable field = self.GetFieldById(id); + if (field == nullptr) { + absl::Format(out, "", id); + } else { + VisitFlatbufferField(field, + PrinterVisitor{self, value.at(id), out, mode}); + } + first = false; + } + absl::Format(out, "}"); + } + }; + + struct PrinterVisitor { + const FlatbuffersTableUntypedDomainImpl& self; + const GenericDomainCorpusType& val; + domain_implementor::RawSink out; + domain_implementor::PrintMode mode; + + template + void Visit(const reflection::Field* absl_nonnull field) const { + auto& domain = self.GetSubDomain(field); + absl::Format(out, "%s: ", field->name()->str()); + domain_implementor::PrintValue(domain, val, out, mode); + } + }; +}; + +// Corpus type for the table domain +struct FlatbuffersTableDomainCorpusType { + // Map of field ids to field values. + typename FlatbuffersTableUntypedDomainImpl::corpus_type untyped_corpus; + // Serialized flatbuffer. + std::vector buffer; +}; + +// Domain implementation for flatbuffers generated table classes. +// The corpus type is a pair of: +// - A map of field ids to field values. +// - The serialized buffer of the table. +template +class FlatbuffersTableDomainImpl + : public fuzztest::domain_implementor::DomainBase< + // Derived, for CRTP needs. See DomainBase for more details. + FlatbuffersTableDomainImpl, + // ValueType - user facing type, exact flatbuffer + const T* absl_nonnull, + // CorpusType - internal representation of ValueType + FlatbuffersTableDomainCorpusType> { + public: + using typename FlatbuffersTableDomainImpl::DomainBase::corpus_type; + using typename FlatbuffersTableDomainImpl::DomainBase::value_type; + + FlatbuffersTableDomainImpl() { + flatbuffers::Verifier verifier(T::BinarySchema::data(), + T::BinarySchema::size()); + FUZZTEST_INTERNAL_CHECK(reflection::VerifySchemaBuffer(verifier), + "Invalid schema for flatbuffers table."); + auto schema = reflection::GetSchema(T::BinarySchema::data()); + auto table_object = + schema->objects()->LookupByKey(T::GetFullyQualifiedName()); + inner_ = FlatbuffersTableUntypedDomainImpl{schema, table_object}; + } + + FlatbuffersTableDomainImpl(const FlatbuffersTableDomainImpl& other) + : inner_(other.inner_) { + builder_.Clear(); + } + + FlatbuffersTableDomainImpl& operator=( + const FlatbuffersTableDomainImpl& other) { + if (this == &other) return *this; + inner_ = other.inner_; + builder_.Clear(); + return *this; + } + + FlatbuffersTableDomainImpl(FlatbuffersTableDomainImpl&& other) + : inner_(std::move(other.inner_)) { + builder_.Clear(); + } + + FlatbuffersTableDomainImpl& operator=(FlatbuffersTableDomainImpl&& other) { + if (this == &other) return *this; + inner_ = std::move(other.inner_); + builder_.Clear(); + return *this; + } + + // Initializes the table with random values. + corpus_type Init(absl::BitGenRef prng) { + if (auto seed = this->MaybeGetRandomSeed(prng)) return *seed; + + // Create new map of field ids to field values + auto val = inner_->Init(prng); + // Serialize the map into a flatbuffer + auto offset = inner_->BuildTable(val, builder_); + builder_.Finish(flatbuffers::Offset(offset)); + // Store the serialized buffer in a vector. + auto buffer = + std::vector(builder_.GetBufferPointer(), + builder_.GetBufferPointer() + builder_.GetSize()); + builder_.Clear(); + + // Return corpus value: pair of the map and the serialized buffer. + return FlatbuffersTableDomainCorpusType{val, std::move(buffer)}; + } + + // Returns the number of fields in the table. + uint64_t CountNumberOfFields(corpus_type& val) { + return inner_->CountNumberOfFields(val.untyped_corpus); + } + + // Mutates the given corpus value. + void Mutate(corpus_type& val, absl::BitGenRef prng, + const domain_implementor::MutationMetadata& metadata, + bool only_shrink) { + // Modify values in the map. + inner_->Mutate(val.untyped_corpus, prng, metadata, only_shrink); + // Serialize the map into a flatbuffer and store it in vector + val.buffer = BuildBuffer(val.untyped_corpus); + } + + // Converts corpus value into the exact flatbuffer. + value_type GetValue(const corpus_type& value) const { + return flatbuffers::GetRoot(value.buffer.data()); + } + + // Creates corpus value from the exact flatbuffer. + std::optional FromValue(const value_type& value) const { + auto val = inner_->FromValue((const flatbuffers::Table*)value); + if (!val.has_value()) return std::nullopt; + return std::optional( + FlatbuffersTableDomainCorpusType{*val, BuildBuffer(*val)}); + } + + // Returns the printer for the table. + auto GetPrinter() const { return Printer{*inner_}; } + + // Returns the parsed corpus value. + std::optional ParseCorpus(const IRObject& obj) const { + auto val = inner_->ParseCorpus(obj); + if (!val.has_value()) return std::nullopt; + return std::optional( + FlatbuffersTableDomainCorpusType{*val, BuildBuffer(*val)}); + } + + // Returns the serialized corpus value. + IRObject SerializeCorpus(const corpus_type& corpus_value) const { + return inner_->SerializeCorpus(corpus_value.untyped_corpus); + } + + // Returns the status of the given corpus value. + absl::Status ValidateCorpusValue(const corpus_type& corpus_value) const { + return inner_->ValidateCorpusValue(corpus_value.untyped_corpus); + } + + private: + std::optional inner_; + mutable flatbuffers::FlatBufferBuilder builder_; + + struct Printer { + const FlatbuffersTableUntypedDomainImpl& inner; + + void PrintCorpusValue(const corpus_type& value, + domain_implementor::RawSink out, + domain_implementor::PrintMode mode) const { + inner.GetPrinter().PrintCorpusValue(value.untyped_corpus, out, mode); + } + }; + + std::vector BuildBuffer( + const corpus_type_t& val) const { + auto offset = inner_->BuildTable(val, builder_); + builder_.Finish(flatbuffers::Offset(offset)); + auto buffer = + std::vector(builder_.GetBufferPointer(), + builder_.GetBufferPointer() + builder_.GetSize()); + builder_.Clear(); + return buffer; + } +}; + +template +class ArbitraryImpl>> + : public FlatbuffersTableDomainImpl {}; + +} // namespace fuzztest::internal +#endif // FUZZTEST_FUZZTEST_INTERNAL_DOMAINS_FLATBUFFERS_DOMAIN_IMPL_H_ diff --git a/fuzztest/internal/meta.h b/fuzztest/internal/meta.h index 4ddada107..c36d80b9a 100644 --- a/fuzztest/internal/meta.h +++ b/fuzztest/internal/meta.h @@ -200,6 +200,22 @@ template inline constexpr bool is_protocol_buffer_enum_v = IsProtocolBufferEnumImpl(true); +template +inline constexpr bool is_flatbuffers_table_v = false; + +// Flatbuffers tables generated structs do not have a public base class, so we +// check for a few specific methods: +// - T is a struct. +// - T has a `Builder` type. +// - T has a `BinarySchema` type with a static method `data()` (only available +// when passing `--bfbs-gen-embed` to the flatbuffer compiler). +// - T has a static method called `GetFullyQualifiedName` (only available when +// passing `--gen-name-strings` to the flatbuffer compiler). +template +inline constexpr bool is_flatbuffers_table_v< + T, std::void_t> = true; + template inline constexpr bool has_size_v = Requires([](auto v) -> decltype(v.size()) {}); diff --git a/fuzztest/internal/test_flatbuffers.fbs b/fuzztest/internal/test_flatbuffers.fbs new file mode 100644 index 000000000..56791f0d7 --- /dev/null +++ b/fuzztest/internal/test_flatbuffers.fbs @@ -0,0 +1,90 @@ +namespace fuzztest.internal; + +enum ByteEnum: byte { + First, + Second +} +enum ShortEnum: short { + First, + Second +} + +enum IntEnum: int { + First, + Second +} + +enum LongEnum: long { + First, + Second +} + +enum UByteEnum: ubyte { + First, + Second +} + +enum UShortEnum: ushort { + First, + Second +} +enum UIntEnum: uint { + First, + Second +} +enum ULongEnum: ulong { + First, + Second +} + +table DefaultTable { + b: bool; + i8: byte; + i16: short; + i32: int; + i64: long; + u8: ubyte; + u16: ushort; + u32: uint; + u64: ulong; + f: float; + d: double; + str: string; + ei8: ByteEnum; + ei16: ShortEnum; + ei32: IntEnum; + ei64: LongEnum; + eu8: UByteEnum; + eu16: UShortEnum; + eu32: UIntEnum; + eu64: ULongEnum; +} + +table OptionalTable { + b: bool = null; + i8: byte = null; + i16: short = null; + i32: int = null; + i64: long = null; + u8: ubyte = null; + u16: ushort = null; + u32: uint = null; + u64: ulong = null; + f: float = null; + d: double = null; + str: string; + ei8: ByteEnum = null; + ei16: ShortEnum = null; + ei32: IntEnum = null; + ei64: LongEnum = null; + eu8: UByteEnum = null; + eu16: UShortEnum = null; + eu32: UIntEnum = null; + eu64: ULongEnum = null; +} + +table RequiredTable { + str: string (required); +} + +root_type DefaultTable;