[llvm][cas] Implement basic fuzzer

cachemeifyoucan · cachemeifyoucan · commit 0efdf8150a91 · 2025-05-01T15:47:45.000-07:00
This is a basic fuzzer for CAS ObjectStore that will insert random data
into CAS and validate with several configurations randomly generated
from fuzzer. It will check:

* multi-threaded insertion
* multi-process insertion
* try randomly kill the subprocesses that are inserting data

And make sure it doesn't leave CAS in an invalid state. Suggested usage:
```
LLVM_CAS_LOG=2 llvm-cas-fuzzer --cas-path=... -rss_limit_mb=4096 --print-config
```
diff --git a/llvm/tools/llvm-cas-fuzzer/CMakeLists.txt b/llvm/tools/llvm-cas-fuzzer/CMakeLists.txt
@@ -0,0 +1,10 @@
+set(LLVM_LINK_COMPONENTS
+    CAS
+    FuzzerCLI
+    FuzzMutate
+    Support
+)
+add_llvm_fuzzer(llvm-cas-fuzzer
+  llvm-cas-fuzzer.cpp
+  DUMMY_MAIN DummyCASFuzzer.cpp
+  )
diff --git a/llvm/tools/llvm-cas-fuzzer/DummyCASFuzzer.cpp b/llvm/tools/llvm-cas-fuzzer/DummyCASFuzzer.cpp
@@ -0,0 +1,21 @@
+//===--- DummyCASFuzzer.cpp - Entry point to sanity check the fuzzer ------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+//
+// Implementation of main so we can build and test without linking libFuzzer.
+//
+//===----------------------------------------------------------------------===//
+
+#include "llvm/FuzzMutate/FuzzerCLI.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv);
+
+int main(int argc, char *argv[]) {
+  return llvm::runFuzzerOnInputs(argc, argv, LLVMFuzzerTestOneInput,
+                                 LLVMFuzzerInitialize);
+}
diff --git a/llvm/tools/llvm-cas-fuzzer/llvm-cas-fuzzer.cpp b/llvm/tools/llvm-cas-fuzzer/llvm-cas-fuzzer.cpp
@@ -0,0 +1,247 @@
+#include "llvm/ADT/BitmaskEnum.h"
+#include "llvm/CAS/ActionCache.h"
+#include "llvm/CAS/BuiltinUnifiedCASDatabases.h"
+#include "llvm/CAS/ObjectStore.h"
+#include "llvm/Support/Program.h"
+#include "llvm/Support/RandomNumberGenerator.h"
+#include "llvm/Support/ThreadPool.h"
+
+using namespace llvm;
+using namespace llvm::cas;
+
+// Options from commandline.
+static std::string CASPath;
+static bool GenData = false;
+static bool PrintConfig = false;
+static bool ForceKill = false;
+static unsigned OptNumShards = 0;
+static unsigned OptTreeDepth = 0;
+static unsigned OptNumChildren = 0;
+static unsigned OptDataLength = 0;
+static const char *Argv0 = nullptr;
+
+enum CASFuzzingSettings : uint8_t {
+  DEFAULT = 0,
+  FORK = 1,                   // CAS Data filling happens in subprocesses.
+  CHECK_TERMINATION = 1 << 1, // Try kill the subprocess when it fills the data.
+  PRUNE_CAS = 1 << 2,         // Prune the CAS after the test.
+
+  LAST = UINT8_MAX, // Enum is randomly generated, use MAX to cover all inputs.
+  LLVM_MARK_AS_BITMASK_ENUM(LAST)
+};
+
+struct Config {
+  CASFuzzingSettings Settings = DEFAULT;
+  uint8_t NumShards;
+  uint8_t NumChildren;
+  uint8_t TreeDepth;
+  uint16_t DataLength;
+
+  void constraint() {
+    // reduce the size of parameter if they are too big.
+    if (NumShards > 12) {
+      // If forking, max out the threads.
+      if (Settings & FORK)
+        NumShards = 12;
+      else
+        NumShards = NumShards % 12;
+    }
+
+    if (NumChildren > 10)
+      NumChildren = NumChildren % 10;
+
+    if (TreeDepth > 10)
+      TreeDepth = TreeDepth % 10;
+
+    if (DataLength > 1024)
+      DataLength = DataLength % 1024;
+
+    if (ForceKill) {
+      Settings |= FORK;
+      Settings |= CHECK_TERMINATION;
+    }
+  }
+
+  void init() {
+    NumShards = OptNumShards ? OptNumShards : 8;
+    NumChildren = OptNumChildren ? OptNumChildren : 4;
+    TreeDepth = OptTreeDepth ? OptTreeDepth : 12;
+    DataLength = OptDataLength ? OptDataLength : 128;
+  }
+
+  void appendCommandLineOpts(std::vector<std::string> &Cmd) {
+    Cmd.push_back("--num-shards=" + utostr(NumShards));
+    Cmd.push_back("--num-children=" + utostr(NumChildren));
+    Cmd.push_back("--tree-depth=" + utostr(TreeDepth));
+    Cmd.push_back("--data-length=" + utostr(DataLength));
+  }
+
+  void dump() {
+    llvm::errs() << "## Configuration:"
+                 << " Fork: " << (bool)(Settings & FORK)
+                 << " Kill: " << (bool)(Settings & CHECK_TERMINATION)
+                 << " Prune: " << (bool)(Settings & PRUNE_CAS)
+                 << " NumShards: " << (unsigned)NumShards
+                 << " TreeDepth: " << (unsigned)TreeDepth
+                 << " NumChildren: " << (unsigned)NumChildren
+                 << " DataLength: " << (unsigned)DataLength << "\n";
+  }
+};
+
+static void parseOptions(int Argc, char **Argv) {
+  Argv0 = Argv[0];
+
+  for (int I = 0; I < Argc; ++I) {
+    StringRef Arg = Argv[I];
+    // option must start with `--`.
+    if (!Arg.consume_front("--"))
+      continue;
+
+    // flags.
+    if (Arg == "gen-data") {
+      GenData = true;
+      continue;
+    }
+    if (Arg == "print-config") {
+      PrintConfig = true;
+      continue;
+    }
+    if (Arg == "force-kill") {
+      ForceKill = true;
+      continue;
+    }
+
+    // options that take an argument.
+    auto Opt = Arg.split('=');
+    if (Opt.first == "cas-path")
+      CASPath = Opt.second.str();
+    else if (Opt.first == "num-shards")
+      to_integer(Opt.second, OptNumShards);
+    else if (Opt.first == "num-children")
+      to_integer(Opt.second, OptNumChildren);
+    else if (Opt.first == "tree-depth")
+      to_integer(Opt.second, OptTreeDepth);
+    else if (Opt.first == "data-length")
+      to_integer(Opt.second, OptDataLength);
+  }
+}
+
+// fill the CAS with random data of specified tree depth and children numbers.
+static void fillData(ObjectStore &CAS, const Config &Conf) {
+  ExitOnError ExitOnErr("llvm-cas-fuzzer fill data: ");
+  DefaultThreadPool ThreadPool(hardware_concurrency());
+  for (size_t I = 0; I != Conf.NumShards; ++I) {
+    ThreadPool.async([&] {
+      std::vector<ObjectRef> Refs;
+      for (unsigned Depth = 1; Depth <= Conf.TreeDepth; ++Depth) {
+        unsigned NumNodes = (Conf.TreeDepth - Depth) * Conf.NumChildren + 1;
+        std::vector<ObjectRef> Created;
+        Created.reserve(NumNodes);
+        ArrayRef<ObjectRef> PreviouslyCreated(Refs);
+        for (unsigned I = 0; I < NumNodes; ++I) {
+          std::vector<char> Data(Conf.DataLength);
+          getRandomBytes(Data.data(), Data.size());
+          if (Depth == 1) {
+            auto Ref = ExitOnErr(CAS.store({}, Data));
+            Created.push_back(Ref);
+          } else {
+            auto Parent = PreviouslyCreated.slice(I, Conf.NumChildren);
+            auto Ref = ExitOnErr(CAS.store(Parent, Data));
+            Created.push_back(Ref);
+          }
+        }
+        Refs.swap(Created);
+      }
+    });
+  }
+  ThreadPool.wait();
+}
+
+static int genData() {
+  ExitOnError ExitOnErr("llvm-cas-fuzzer --gen-data: ");
+
+  if (CASPath.empty()) {
+    llvm::errs() << "--gen-data requires --cas-path= option\n";
+    return 1;
+  }
+
+  Config Conf;
+  Conf.init();
+
+  auto DB = ExitOnErr(cas::createOnDiskUnifiedCASDatabases(CASPath));
+  fillData(*DB.first, Conf);
+
+  return 0;
+}
+
+extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
+  parseOptions(*argc, *argv);
+  if (GenData) {
+    genData();
+    exit(0);
+  }
+
+  return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  ExitOnError ExitOnErr("llvm-cas-fuzzer: ");
+
+  if (Size < sizeof(Config))
+    return 0;
+
+  Config Conf;
+  std::memcpy(&Conf, Data, sizeof(Conf));
+  Conf.constraint();
+
+  if (Conf.NumShards == 0)
+    return 0;
+
+  if (PrintConfig)
+    Conf.dump();
+
+  auto DB = ExitOnErr(cas::createOnDiskUnifiedCASDatabases(CASPath));
+  auto &CAS = DB.first;
+
+  ExitOnErr(CAS->setSizeLimit(1024));
+  if (Conf.Settings & FORK) {
+    // fill data using sub processes.
+    std::string MainExe = sys::fs::getMainExecutable(Argv0, &Argv0);
+    std::vector<std::string> Args = {MainExe, "--gen-data",
+                                     "--cas-path=" + CASPath};
+    Conf.appendCommandLineOpts(Args);
+    std::vector<StringRef> Cmd;
+    for_each(Args, [&Cmd](const std::string &Arg) { Cmd.push_back(Arg); });
+
+    std::vector<sys::ProcessInfo> Subprocesses;
+
+    for (int I = 0; I < Conf.NumShards; ++I) {
+      auto SP = sys::ExecuteNoWait(MainExe, Cmd, std::nullopt);
+      if (SP.Pid != 0)
+        Subprocesses.push_back(SP);
+    }
+
+    if (Conf.Settings & CHECK_TERMINATION) {
+      for_each(Subprocesses, [](auto &P) {
+        // Wait 1 second and killed the process.
+        auto WP = sys::Wait(P, 1);
+        if (WP.ReturnCode)
+          llvm::errs() << "subprocess killed\n";
+      });
+    } else {
+      for_each(Subprocesses, [](auto &P) { sys::Wait(P, std::nullopt); });
+    }
+
+  } else {
+    // in-process fill data.
+    fillData(*CAS, Conf);
+  }
+
+  // validate and prune in the end.
+  ExitOnErr(CAS->validate(true));
+
+  if (Conf.Settings & PRUNE_CAS)
+    ExitOnErr(CAS->pruneStorageData());
+
+  return 0;
+}
