carbon-language · pk19604014 · Apr 11, 2022 · Mar 28, 2022 · Mar 28, 2022 · Mar 29, 2022
diff --git a/WORKSPACE b/WORKSPACE
@@ -248,6 +248,41 @@ rules_proto_dependencies()
 
 rules_proto_toolchains()
 
+###############################################################################
+# libprotobuf_mutator - for structured fuzzer testing.
+###############################################################################
+
+# libprotobuf_mutator uses cmake and doesn't provide a bazel BUILD file.
+MUTATOR_BUILD = """
+load("@rules_cc//cc:defs.bzl", "cc_library")
+
+cc_library(
+    name = "libprotobuf_mutator",
+    srcs = glob(
+        [
+            "src/**/*.cc",
+            "src/**/*.h",
+            "port/protobuf.h",
+        ],
+        exclude = ["**/*_test.cc"],
+    ),
+    hdrs = ["src/libfuzzer/libfuzzer_macro.h"],
+    include_prefix = "libprotobuf_mutator",
+    visibility = ["//visibility:public"],
+    deps = ["@com_google_protobuf//:protobuf"],
+)
+"""
+
+libprotobuf_mutator_version = "1.0"
+
+http_archive(
+    name = "com_google_libprotobuf_mutator",
+    build_file_content = MUTATOR_BUILD,
+    sha256 = "792f250fb546bde8590e72d64311ea00a70c175fd77df6bb5e02328fa15fe28e",
+    strip_prefix = "libprotobuf-mutator-%s" % libprotobuf_mutator_version,
+    urls = ["https://github.com/google/libprotobuf-mutator/archive/v%s.tar.gz" % libprotobuf_mutator_version],
+)
+
 ###############################################################################
 # Example conversion repositories
 ###############################################################################

diff --git a/bazel/cc_toolchains/clang_cc_toolchain_config.bzl b/bazel/cc_toolchains/clang_cc_toolchain_config.bzl
@@ -531,7 +531,10 @@ def _impl(ctx):
                     "-D_LIBCPP_DEBUG=1",
                 ])],
                 with_features = [
-                    with_feature_set(not_features = ["opt"]),
+                    # _LIBCPP_DEBUG=1 causes protobuf code to crash under asan
+                    #  with the following error:
+                    # 'Attempted to dereference a non-dereferenceable iterator'.
+                    with_feature_set(not_features = ["opt", "asan"]),
                 ],
             ),
         ],

diff --git a/executable_semantics/BUILD b/executable_semantics/BUILD
@@ -14,11 +14,25 @@ filegroup(
     srcs = ["data/prelude.carbon"],
 )
 
+cc_library(
+    name = "prelude",
+    srcs = ["prelude.cpp"],
+    hdrs = ["prelude.h"],
+    data = [":standard_libraries"],
+    deps = [
+        "//common:error",
+        "//executable_semantics/ast:declaration",
+        "//executable_semantics/common:arena",
+        "//executable_semantics/common:nonnull",
+        "//executable_semantics/syntax",
+    ],
+)
+
 cc_binary(
     name = "executable_semantics",
     srcs = ["main.cpp"],
-    data = [":standard_libraries"],
     deps = [
+        ":prelude",
         "//common:error",
         "//executable_semantics/common:arena",
         "//executable_semantics/common:nonnull",

diff --git a/executable_semantics/fuzzing/BUILD b/executable_semantics/fuzzing/BUILD
@@ -2,6 +2,8 @@
 # Exceptions. See /LICENSE for license information.
 # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 
+load("//bazel/fuzzing:rules.bzl", "cc_fuzz_test")
+
 cc_library(
     name = "ast_to_proto_lib",
     srcs = ["ast_to_proto.cpp"],
@@ -15,6 +17,19 @@ cc_library(
     ],
 )
 
+cc_library(
+    name = "fuzzer_util",
+    srcs = ["fuzzer_util.cpp"],
+    hdrs = ["fuzzer_util.h"],
+    deps = [
+        "//common:check",
+        "//common/fuzzing:carbon_cc_proto",
+        "//executable_semantics/ast",
+        "@com_google_protobuf//:protobuf_headers",
+        "@llvm-project//llvm:Support",
+    ],
+)
+
 cc_test(
     name = "ast_to_proto_test",
     srcs = ["ast_to_proto_test.cpp"],
@@ -36,6 +51,23 @@ cc_test(
     ],
 )
 
+cc_binary(
+    name = "fuzzverter",
+    srcs = ["fuzzverter.cpp"],
+    deps = [
+        ":ast_to_proto_lib",
+        ":fuzzer_util",
+        "//common:error",
+        "//common/fuzzing:carbon_cc_proto",
+        "//common/fuzzing:proto_to_carbon_lib",
+        "//executable_semantics/common:error",
+        "//executable_semantics/common:nonnull",
+        "//executable_semantics/syntax",
+        "@com_google_protobuf//:protobuf_headers",
+        "@llvm-project//llvm:Support",
+    ],
+)
+
 cc_test(
     name = "proto_to_carbon_test",
     srcs = ["proto_to_carbon_test.cpp"],
@@ -57,3 +89,21 @@ cc_test(
         "@llvm-project//llvm:Support",
     ],
 )
+
+cc_fuzz_test(
+    name = "executable_semantics_fuzzer",
+    size = "small",
+    srcs = ["executable_semantics_fuzzer.cpp"],
+    corpus = glob(["fuzzer_corpus/**"]),
+    deps = [
+        ":fuzzer_util",
+        "//common/fuzzing:carbon_cc_proto",
+        "//common/fuzzing:proto_to_carbon_lib",
+        "//executable_semantics:prelude",
+        "//executable_semantics/interpreter:exec_program",
+        "//executable_semantics/syntax",
+        "@com_google_libprotobuf_mutator//:libprotobuf_mutator",
+        "@com_google_protobuf//:protobuf_headers",
+        "@llvm-project//llvm:Support",
+    ],
+)
diff --git a/executable_semantics/fuzzing/executable_semantics_fuzzer.cpp b/executable_semantics/fuzzing/executable_semantics_fuzzer.cpp
@@ -0,0 +1,46 @@
+// Part of the Carbon Language project, under the Apache License v2.0 with LLVM
+// Exceptions. See /LICENSE for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+#include <google/protobuf/text_format.h>
+#include <libprotobuf_mutator/src/libfuzzer/libfuzzer_macro.h>
+
+#include "common/fuzzing/carbon.pb.h"
+#include "common/fuzzing/proto_to_carbon.h"
+#include "executable_semantics/fuzzing/fuzzer_util.h"
+#include "executable_semantics/interpreter/exec_program.h"
+#include "executable_semantics/prelude.h"
+#include "executable_semantics/syntax/parse.h"
+#include "llvm/Support/raw_ostream.h"
+
+namespace Carbon {
+
+// Parses and executes a fuzzer-generated program.
+// Takes `compilation_unit` by value to allow modifications like adding
+// `Main()`.
+void ParseAndExecute(Fuzzing::CompilationUnit compilation_unit) {
+  MaybeAddMain(compilation_unit);
+  const std::string source = ProtoToCarbon(compilation_unit);
+
+  Arena arena;
+  ErrorOr<AST> ast = ParseFromString(&arena, "Fuzzer.carbon", source,
+                                     /*trace=*/false);
+  if (!ast.ok()) {
+    llvm::errs() << "Parsing failed: " << ast.error().message() << "\n";
+    return;
+  }
+  AddPrelude("executable_semantics/data/prelude.carbon", &arena,
+             &ast->declarations);
+  const ErrorOr<int> result = ExecProgram(&arena, *ast, /*trace=*/false);
+  if (!result.ok()) {
+    llvm::errs() << "Execution failed: " << result.error().message() << "\n";
+    return;
+  }
+  llvm::outs() << "Executed OK: " << *result;
+}
+
+}  // namespace Carbon
+
+DEFINE_BINARY_PROTO_FUZZER(const Carbon::Fuzzing::Carbon& input) {
+  Carbon::ParseAndExecute(input.compilation_unit());
+}
diff --git a/executable_semantics/fuzzing/fuzzer_corpus/empty.binaryproto b/executable_semantics/fuzzing/fuzzer_corpus/empty.binaryproto
diff --git a/executable_semantics/fuzzing/fuzzer_util.cpp b/executable_semantics/fuzzing/fuzzer_util.cpp
@@ -0,0 +1,48 @@
+// Part of the Carbon Language project, under the Apache License v2.0 with LLVM
+// Exceptions. See /LICENSE for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+#include "executable_semantics/fuzzing/fuzzer_util.h"
+
+#include <google/protobuf/text_format.h>
+
+#include "common/check.h"
+
+namespace Carbon {
+
+// Appended to fuzzer-generated AST proto when the proto is missing
+// `Main()` definition, to prevent early error return in semantic analysis.
+static constexpr char EmptyMainDeclaration[] = R"pb(
+  function {
+    name: "Main"
+    param_pattern {}
+    return_term {
+      kind: Expression
+      type { int_type_literal {} }
+    }
+    body {
+      statements {
+        return_statement { expression { int_literal { value: 0 } } }
+      }
+    }
+  }
+)pb";
+
+auto MaybeAddMain(Fuzzing::CompilationUnit& compilation_unit) -> void {
+  const bool has_main = std::any_of(
+      compilation_unit.declarations().begin(),
+      compilation_unit.declarations().end(),
+      [](const Fuzzing::Declaration& decl) {
+        return decl.kind_case() == Fuzzing::Declaration::kFunction &&
+               decl.function().name() == "Main";
+      });
+  if (!has_main) {
+    Fuzzing::Declaration main_decl;
+    CHECK(google::protobuf::TextFormat::ParseFromString(EmptyMainDeclaration,
+                                                        &main_decl))
+        << "Failed to parse " << EmptyMainDeclaration;
+    *compilation_unit.add_declarations() = main_decl;
+  }
+}
+
+}  // namespace Carbon
diff --git a/executable_semantics/fuzzing/fuzzer_util.h b/executable_semantics/fuzzing/fuzzer_util.h
@@ -0,0 +1,17 @@
+// Part of the Carbon Language project, under the Apache License v2.0 with LLVM
+// Exceptions. See /LICENSE for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+#ifndef THIRD_PARTY_CARBON_LANG_EXECUTABLE_SEMANTICS_FUZZING_FUZZER_UTIL_H_
+#define THIRD_PARTY_CARBON_LANG_EXECUTABLE_SEMANTICS_FUZZING_FUZZER_UTIL_H_
+
+#include "common/fuzzing/carbon.pb.h"
+
+namespace Carbon {
+
+// Adds an empty `Main()` declaration if `compilation_unit` does not have one.
+auto MaybeAddMain(Fuzzing::CompilationUnit& compilation_unit) -> void;
+
+}  // namespace Carbon
+
+#endif  // THIRD_PARTY_CARBON_LANG_EXECUTABLE_SEMANTICS_FUZZING_FUZZER_UTIL_H_