diff options
| -rw-r--r-- | csmith-fuzzing/README | 7 | ||||
| -rw-r--r-- | csmith-fuzzing/csmith.h | 15 | ||||
| -rw-r--r-- | csmith-fuzzing/driver.py | 33 |
3 files changed, 55 insertions, 0 deletions
diff --git a/csmith-fuzzing/README b/csmith-fuzzing/README new file mode 100644 index 00000000..e4c74243 --- /dev/null +++ b/csmith-fuzzing/README @@ -0,0 +1,7 @@ +Fuzz bindgen with `csmith` https://github.com/csmith-project/csmith . + +Run with `python3 driver.py`. It will run until until it encounters an error in `bindgen`. + +Requires `python3`, `csmith` and `bindgen` to be in `$PATH`. + +csmith is run with `--no-checksum --nomain --max-block-size 1 --max-block-depth 1` which disables the `main` function and makes function bodies as simple as possible as bindgen does not care about them but they cannot be completely disabled in csmith. Run `csmith --help` to see what exactly those options do. diff --git a/csmith-fuzzing/csmith.h b/csmith-fuzzing/csmith.h new file mode 100644 index 00000000..faaef5b1 --- /dev/null +++ b/csmith-fuzzing/csmith.h @@ -0,0 +1,15 @@ +// Type definitions from csmith's csmith_minimal.h included in csmith.h . +// Since other header contents are not needed we put them in here +// so the other original header is not needed anymore. + +#define int8_t signed char +#define uint8_t unsigned char + +#define int16_t short +#define uint16_t unsigned short + +#define int32_t int +#define uint32_t unsigned + +#define int64_t long long +#define uint64_t unsigned long long diff --git a/csmith-fuzzing/driver.py b/csmith-fuzzing/driver.py new file mode 100644 index 00000000..ee42203d --- /dev/null +++ b/csmith-fuzzing/driver.py @@ -0,0 +1,33 @@ +from subprocess import run, DEVNULL, PIPE + +csmith_command = [ + "csmith", + "--no-checksum", + "--nomain", + "--max-block-size", "1", + "--max-block-depth", "1", + "--output", "generated.h"] + +bindgen_command = ["bindgen", "generated.h"] + +if __name__ == "__main__": + print("Bindgen fuzzing with csmith.") + print( + "This script will write to generated.h, bindgen_stdout, bindgen_stderr and platform.info . " + "These files can be deleted after running.") + + iterations = 0 + while True: + print("\rIteration: {}".format(iterations), end="", flush=True) + + run(csmith_command, stdin=DEVNULL, stdout=DEVNULL, stderr=DEVNULL) + with open("bindgen_stdout", "wb") as stdout, open("bindgen_stdout", "wb") as stderr: + result = run(bindgen_command, stdin=DEVNULL, stdout=stdout, stderr=stderr) + if result.returncode != 0: + print() + print( + "Error: bindgen existed with non zero exit code {} when ran on generated.h . " + "You can find its output in bindgen_stoud and bindgen_stderr." + .format(result.returncode)) + exit() + iterations += 1 |