diff options
author | Vincent Ambo <mail@tazj.in> | 2020-07-15T07·20+0100 |
---|---|---|
committer | Vincent Ambo <mail@tazj.in> | 2020-07-15T07·20+0100 |
commit | 7f19d641647ac4ef313ed88d6b5c140983ce5436 (patch) | |
tree | 31b66c81465293da5c093c5dde3e419758c0d6cc /test/flex_vector/fuzzed-1.cpp |
Squashed 'third_party/immer/' content from commit ad3e3556d
git-subtree-dir: third_party/immer git-subtree-split: ad3e3556d38bb75966dd24c61a774970a7c7957e
Diffstat (limited to 'test/flex_vector/fuzzed-1.cpp')
-rw-r--r-- | test/flex_vector/fuzzed-1.cpp | 368 |
1 files changed, 368 insertions, 0 deletions
diff --git a/test/flex_vector/fuzzed-1.cpp b/test/flex_vector/fuzzed-1.cpp new file mode 100644 index 000000000000..d924dc3a8310 --- /dev/null +++ b/test/flex_vector/fuzzed-1.cpp @@ -0,0 +1,368 @@ +// +// immer: immutable data structures for C++ +// Copyright (C) 2016, 2017, 2018 Juan Pedro Bolivar Puente +// +// This software is distributed under the Boost Software License, Version 1.0. +// See accompanying file LICENSE or copy at http://boost.org/LICENSE_1_0.txt +// + +#include "extra/fuzzer/fuzzer_input.hpp" +#include <array> +#include <catch.hpp> +#include <immer/flex_vector.hpp> +#include <iostream> + +#define IMMER_FUZZED_TRACE_ENABLE 0 + +#if IMMER_FUZZED_TRACE_ENABLE +#define IMMER_FUZZED_TRACE(...) std::cout << __VA_ARGS__ << std::endl; +#else +#define IMMER_FUZZED_TRACE(...) +#endif + +namespace { + +template <std::size_t VarCount = 2, unsigned Bits = 2> +int run_input(const std::uint8_t* data, std::size_t size) +{ + using vector_t = + immer::flex_vector<int, immer::default_memory_policy, Bits, Bits>; + using size_t = std::uint8_t; + + auto vars = std::array<vector_t, VarCount>{}; + +#if IMMER_FUZZED_TRACE_ENABLE + std::cout << "/// new test run" << std::endl; + for (auto i = 0u; i < VarCount; ++i) + std::cout << "auto var" << i << " = vector_t{};" << std::endl; +#endif + + auto is_valid_var = [&](auto idx) { return idx >= 0 && idx < VarCount; }; + auto is_valid_index = [](auto& v) { + return [&](auto idx) { return idx >= 0 && idx < v.size(); }; + }; + auto is_valid_size = [](auto& v) { + return [&](auto idx) { return idx >= 0 && idx <= v.size(); }; + }; + auto can_concat = [](auto&& v1, auto&& v2) { + using size_type = decltype(v1.size()); + return v2.size() < (std::numeric_limits<size_type>::max() - v1.size()); + }; + auto can_insert = [](auto&& v1) { + using size_type = decltype(v1.size()); + return v1.size() < std::numeric_limits<size_type>::max(); + }; + + return fuzzer_input{data, size}.run([&](auto& in) { + enum ops + { + op_push_back, + op_update, + op_take, + op_drop, + op_concat, + op_push_back_move, + op_update_move, + }; + auto src = read<std::uint8_t>(in, is_valid_var); + auto dst = read<std::uint8_t>(in, is_valid_var); + switch (read<char>(in)) { + case op_push_back: + if (can_insert(vars[src])) { + IMMER_FUZZED_TRACE("var" << +dst << " = var" << +src + << ".push_back(42);"); + vars[dst] = vars[src].push_back(42); + } + break; + case op_update: { + auto idx = read<size_t>(in, is_valid_index(vars[src])); + IMMER_FUZZED_TRACE("var" << +dst << " = var" << +src << ".update(" + << +idx + << ", [] (auto x) { return x + 1; });"); + vars[dst] = vars[src].update(idx, [](auto x) { return x + 1; }); + break; + } + case op_take: { + auto idx = read<size_t>(in, is_valid_size(vars[src])); + IMMER_FUZZED_TRACE("var" << +dst << " = var" << +src << ".take(" + << +idx << ");"); + vars[dst] = vars[src].take(idx); + break; + } + case op_drop: { + auto idx = read<size_t>(in, is_valid_size(vars[src])); + IMMER_FUZZED_TRACE("var" << +dst << " = var" << +src << ".take(" + << +idx << ");"); + vars[dst] = vars[src].drop(idx); + break; + } + case op_concat: { + auto src2 = read<std::uint8_t>(in, is_valid_var); + if (can_concat(vars[src], vars[src2])) { + IMMER_FUZZED_TRACE("var" << +dst << " = var" << +src << " + var" + << +src2 << ";"); + vars[dst] = vars[src] + vars[src2]; + } + break; + } + case op_push_back_move: { + if (can_insert(vars[src])) { + IMMER_FUZZED_TRACE("var" << +dst << " = std::move(var" << +src + << ").push_back(21);"); + vars[dst] = std::move(vars[src]).push_back(21); + } + break; + } + case op_update_move: { + auto idx = read<size_t>(in, is_valid_index(vars[src])); + IMMER_FUZZED_TRACE("var" << +dst << " = std::move(var" << +src + << ").update(" << +idx + << ", [] (auto x) { return x + 1; });"); + vars[dst] = + std::move(vars[src]).update(idx, [](auto x) { return x + 1; }); + break; + } + default: + break; + }; + return true; + }); +} + +} // anonymous namespace + +TEST_CASE("bug: memory leak because of move update") +{ + // There was a problem caused with shared "sizes buffer" in + // relaxed nodes. In particular, the ensure_mutable_relaxed(...) + // function was not decremeting the old sizes buffer. That is why + // the last transient push_back (which uses mutable operations) + // causes some of the relaxed buffers that are created during the + // previous concatenations, and that start to be shared from the + // update() onwards, to later be leaked. + SECTION("simplified") + { + using vector_t = + immer::flex_vector<int, immer::default_memory_policy, 2, 2>; + auto var0 = vector_t{}; + auto var1 = vector_t{}; + var0 = var0.push_back(42); + var0 = var0.push_back(42); + var0 = var0.push_back(42); + var0 = var0 + var0; + var1 = var0.push_back(42); + var0 = var0 + var1; + var1 = var0.push_back(42); + var0 = var0 + var0; + var0 = var1 + var0; + var0 = var1.update(5, [](auto x) { return x + 1; }); + var0 = std::move(var0).push_back(21); + } + +#if __GNUC__ != 9 + SECTION("") + { + constexpr std::uint8_t input[] = { + 0xff, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x40, 0x0, 0x0, 0x4, 0x0, 0x6d, 0x6d, 0x0, 0x1, 0x0, 0x4, + 0x6d, 0x6d, 0x6d, 0x0, 0x0, 0x4, 0x1, 0x6d, 0x6d, 0x0, 0x1, + 0x0, 0x0, 0x0, 0x4, 0x28, 0x0, 0xfc, 0x1, 0x0, 0x4, 0x0, + 0x0, 0x0, 0xfc, 0x1, 0x0, 0x1, 0x5, 0x0, 0x0, 0x1, 0x5, + 0x0, 0x0, 0x5, 0x0, 0x0, 0xff, 0xff, 0xff, 0x27, + }; + CHECK(run_input(input, sizeof(input)) == 0); + } +#endif +} + +TEST_CASE("non-bug: crash") +{ + // This is an interesting finding that is left here for + // documentation. This test actually should not run... the + // problem is that when we build too large vectors via + // concatenation, we can sometimes "overflow the shift". This is + // a degenerate case that we won't fix, but this helped adding + // appropriate assertions to the code. + // + // To prevent this in further fuzzing, the can_concat check has + // been made stricter. + return; + + SECTION("simplified") + { + using vector_t = + immer::flex_vector<int, immer::default_memory_policy, 2, 2>; + auto var4 = vector_t{}; + var4 = var4.push_back(42); + var4 = var4.push_back(42); + var4 = var4.push_back(42); + var4 = var4.push_back(42); + var4 = var4.push_back(42); + auto var0 = var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var0 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4 + var4; + var4 = var4.update(4, [](auto x) { return x + 1; }); + } +#if __GNUC__ != 9 + SECTION("") + { + constexpr std::uint8_t input[] = { + 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, + 0x00, 0x00, 0x00, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x00, 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, 0x2a, 0x00, + 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0xfc, 0xf9, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x05, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x05, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x05, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0xd5, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x05, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x00, 0x01, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x05, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, + 0x01, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x05, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3a, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x21, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x00, 0x04, 0x04, 0x00, 0x00, 0x04, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x13, 0x13, 0x13, 0x13, 0x13, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x10, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x05, 0x04, 0x04, 0x04, 0x04, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x3a, 0x00, 0x02, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x05, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, + 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x05, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, 0x01, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x05, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, 0x01, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x05, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x3a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x04, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x00, + }; + CHECK(run_input<8>(input, sizeof(input)) == 0); + } +#endif +} |