`4a7578b`

Add fuzzing harness: cargo-fuzz targets and deterministic smoke tests

Lexer fuzzer, parser fuzzer (cargo fuzz), seed corpus, and
deterministic smoke tests (10K random ASCII through lexer, 5K
through parser, 5K Fortran fragment combinations through parser).

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 1 month ago

SHA: 4a7578b82d19d6b51469b88ec576755f503d2f3a
Parents: d9bb467
Tree: aedf4f3

8 changed files

Status	File	+
A	`fuzz/Cargo.toml`	26
A	`fuzz/corpus/fuzz_lexer/seed_hello.f90`	4
A	`fuzz/corpus/fuzz_lexer/seed_module.f90`	10
A	`fuzz/corpus/fuzz_parser/seed_complex.f90`	23
A	`fuzz/corpus/fuzz_parser/seed_hello.f90`	4
A	`fuzz/fuzz_targets/fuzz_lexer.rs`	12
A	`fuzz/fuzz_targets/fuzz_parser.rs`	15
A	`tests/fuzz_smoke.rs`	118

fuzz/Cargo.tomladded

 +[package]
 +name = "armfortas-fuzz"
 +version = "0.0.0"
 +publish = false
 +edition = "2021"
++
 +[package.metadata]
 +cargo-fuzz = true
++
 +[dependencies]
 +libfuzzer-sys = "0.4"
 +armfortas = { path = ".." }
++
 +# Prevent this from interfering with workspaces
 +[workspace]
 +members = ["."]
++
 +[[bin]]
 +name = "fuzz_lexer"
 +path = "fuzz_targets/fuzz_lexer.rs"
 +doc = false
++
 +[[bin]]
 +name = "fuzz_parser"
 +path = "fuzz_targets/fuzz_parser.rs"
 +doc = false

fuzz/corpus/fuzz_lexer/seed_hello.f90added

 +program hello
 +  implicit none
 +  print *, "Hello, world!"
 +end program

fuzz/corpus/fuzz_lexer/seed_module.f90added

 +module m
 +  implicit none
 +  integer, parameter :: N = 42
 +  real, allocatable :: buf(:)
 +contains
 +  pure integer function f(x)
 +    integer, intent(in) :: x
 +    f = x * 2
 +  end function
 +end module

fuzz/corpus/fuzz_parser/seed_complex.f90added

 +module m
 +  implicit none
 +  type :: point
 +    real :: x, y
 +  end type
 +contains
 +  subroutine process(arr, n)
 +    integer, intent(in) :: n
 +    type(point), intent(inout) :: arr(:)
 +    integer :: i
 +    do i = 1, n
 +      arr(i)%x = real(i)
 +      arr(i)%y = real(i) * 2.0
 +    end do
 +  end subroutine
 +end module
 +program p
 +  use m
 +  implicit none
 +  type(point) :: pts(10)
 +  call process(pts, 10)
 +  print *, pts(5)%x, pts(5)%y
 +end program

fuzz/corpus/fuzz_parser/seed_hello.f90added

 +program hello
 +  implicit none
 +  print *, "Hello, world!"
 +end program

fuzz/fuzz_targets/fuzz_lexer.rsadded

 +#![no_main]
++
 +use libfuzzer_sys::fuzz_target;
 +use armfortas::lexer::{self, SourceForm};
++
 +fuzz_target!(|data: &[u8]| {
 +    // Feed arbitrary bytes to the lexer. It must never panic —
 +    // errors are fine, panics are bugs.
 +    if let Ok(src) = std::str::from_utf8(data) {
 +        let _ = lexer::tokenize(src, 0, SourceForm::FreeForm);
 +    }
 +});

fuzz/fuzz_targets/fuzz_parser.rsadded

 +#![no_main]
++
 +use libfuzzer_sys::fuzz_target;
 +use armfortas::lexer::{self, SourceForm};
 +use armfortas::parser::Parser;
++
 +fuzz_target!(|data: &[u8]| {
 +    // Feed arbitrary bytes through lexer → parser. Neither may panic.
 +    if let Ok(src) = std::str::from_utf8(data) {
 +        if let Ok(tokens) = lexer::tokenize(src, 0, SourceForm::FreeForm) {
 +            let mut parser = Parser::new(&tokens);
 +            let _ = parser.parse_file();
 +        }
 +    }
 +});

tests/fuzz_smoke.rsadded

 +//! Smoke-level fuzz tests for the lexer and parser.
 +//!
 +//! These don't use libfuzzer — they run deterministic random inputs
 +//! through the lexer and parser to verify no panics. For real fuzzing,
 +//! use `cargo fuzz run fuzz_lexer` / `cargo fuzz run fuzz_parser`.
++
 +use armfortas::lexer::{self, SourceForm};
 +use armfortas::parser::Parser;
++
 +/// Feed N random-ish strings through the lexer.
 +fn fuzz_lexer_deterministic(seed: u64, count: usize) {
 +    let mut state = seed;
 +    for _ in 0..count {
 +        // Simple xorshift64 PRNG.
 +        state ^= state << 13;
 +        state ^= state >> 7;
 +        state ^= state << 17;
++
 +        let len = (state % 256) as usize;
 +        let bytes: Vec<u8> = (0..len)
 +            .map(|i| {
 +                let mut s = state.wrapping_add(i as u64);
 +                s ^= s << 13;
 +                s ^= s >> 7;
 +                s ^= s << 17;
 +                (s & 0x7F) as u8 // ASCII range
 +            })
 +            .collect();
++
 +        if let Ok(src) = std::str::from_utf8(&bytes) {
 +            let _ = lexer::tokenize(src, 0, SourceForm::FreeForm);
 +        }
 +    }
 +}
++
 +/// Feed N random-ish strings through lexer → parser.
 +fn fuzz_parser_deterministic(seed: u64, count: usize) {
 +    let mut state = seed;
 +    for _ in 0..count {
 +        state ^= state << 13;
 +        state ^= state >> 7;
 +        state ^= state << 17;
++
 +        let len = (state % 512) as usize;
 +        let bytes: Vec<u8> = (0..len)
 +            .map(|i| {
 +                let mut s = state.wrapping_add(i as u64);
 +                s ^= s << 13;
 +                s ^= s >> 7;
 +                s ^= s << 17;
 +                (s & 0x7F) as u8
 +            })
 +            .collect();
++
 +        if let Ok(src) = std::str::from_utf8(&bytes) {
 +            if let Ok(tokens) = lexer::tokenize(src, 0, SourceForm::FreeForm) {
 +                let mut parser = Parser::new(&tokens);
 +                let _ = parser.parse_file();
 +            }
 +        }
 +    }
 +}
++
 +/// Feed malformed but plausible Fortran through the parser.
 +/// Runs without threads — each input goes directly through the parser.
 +fn fuzz_parser_with_fortran_fragments(count: usize) {
 +    let fragments = [
 +        "program p\nend program\n", "module m\nend module\n",
 +        "integer :: x\n", "real, allocatable :: a(:,:)\n",
 +        "do i = 1, 10\nend do\n", "if (x > 0) then\nend if\n",
 +        "select case (x)\ncase (1)\nend select\n",
 +        "type :: t\n  integer :: f\nend type\n",
 +        "interface\nend interface\n",
 +        "goto 100\n", "100 continue\n",
 +        "use iso_c_binding, only: c_int\n",
 +        "", "!\n", "! comment\n",
 +        "end\n",
 +    ];
++
 +    let mut state: u64 = 0xDEADBEEF;
 +    for _ in 0..count {
 +        state ^= state << 13;
 +        state ^= state >> 7;
 +        state ^= state << 17;
++
 +        // Pick 1-3 random fragments and concatenate.
 +        let n_frags = 1 + (state % 3) as usize;
 +        let mut src = String::new();
 +        for _ in 0..n_frags {
 +            state ^= state << 13;
 +            state ^= state >> 7;
 +            state ^= state << 17;
 +            let idx = (state as usize) % fragments.len();
 +            src.push_str(fragments[idx]);
 +        }
++
 +        if let Ok(tokens) = lexer::tokenize(&src, 0, SourceForm::FreeForm) {
 +            if tokens.len() > 100 { continue; }
 +            let mut parser = Parser::new(&tokens);
 +            let _ = parser.parse_file();
 +        }
 +    }
 +}
++
 +#[test]
 +fn lexer_no_panic_on_random_ascii() {
 +    fuzz_lexer_deterministic(0x12345678, 10_000);
 +}
++
 +#[test]
 +fn parser_no_panic_on_random_ascii() {
 +    fuzz_parser_deterministic(0x87654321, 5_000);
 +}
++
 +#[test]
 +fn parser_no_panic_on_fortran_fragments() {
 +    fuzz_parser_with_fortran_fragments(5_000);
 +}