add Bump fuzz target (#11)

dataphract · Aug 21, 2022 · 3908def · 3908def
1 parent f9e94fc
commit 3908def
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 13 deletions.
diff --git a/acid_alloc_hater/src/lib.rs b/acid_alloc_hater/src/lib.rs
@@ -2,7 +2,7 @@
 
 use std::{alloc::Layout, ops::Range, ptr::NonNull};
 
-use acid_alloc::{AllocInitError, Buddy, Global, Slab};
+use acid_alloc::{AllocInitError, Buddy, Bump, Global, Slab};
 use alloc_hater::Subject;
 
 pub struct BuddySubject<const BLK_SIZE: usize, const LEVELS: usize>(
@@ -56,9 +56,32 @@ impl Subject for SlabSubject {
         self.0.allocate(layout)
     }
 
-    unsafe fn deallocate(&mut self, ptr: NonNull<u8>, _layout: std::alloc::Layout) {
+    unsafe fn deallocate(&mut self, ptr: NonNull<u8>, _layout: Layout) {
         unsafe { self.0.deallocate(ptr) };
     }
 
     fn handle_custom_op(&mut self, (): ()) {}
 }
+
+pub struct BumpSubject(Bump<Global>);
+
+impl BumpSubject {
+    pub fn new(layout: Layout) -> Result<Self, AllocInitError> {
+        let b = Bump::try_new(layout)?;
+        Ok(BumpSubject(b))
+    }
+}
+
+impl Subject for BumpSubject {
+    type Op = ();
+
+    type AllocError = acid_alloc::AllocError;
+
+    fn allocate(&mut self, layout: Layout) -> Result<NonNull<[u8]>, Self::AllocError> {
+        self.0.allocate(layout)
+    }
+
+    unsafe fn deallocate(&mut self, ptr: NonNull<u8>, _layout: Layout) {
+        unsafe { self.0.deallocate(ptr) }
+    }
+}
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -39,3 +39,9 @@ name = "slab"
 path = "fuzz_targets/slab.rs"
 test = false
 doc = false
+
+[[bin]]
+name = "bump"
+path = "fuzz_targets/bump.rs"
+test = false
+doc = false
diff --git a/fuzz/fuzz_targets/bump.rs b/fuzz/fuzz_targets/bump.rs
@@ -0,0 +1,40 @@
+#![no_main]
+use std::alloc::Layout;
+
+use acid_alloc_hater::BumpSubject;
+use alloc_hater::{AllocatorOp, ArbLayout};
+use arbitrary::{Arbitrary, Unstructured};
+use libfuzzer_sys::fuzz_target;
+
+const MAX_SIZE: usize = 64 * 1024;
+const MAX_ALIGN_SHIFT: u8 = 12; // 4096 bytes
+
+#[derive(Clone, Debug)]
+struct Args {
+    layout: Layout,
+    ops: Vec<AllocatorOp>,
+}
+
+impl Arbitrary<'_> for Args {
+    fn arbitrary(un: &mut Unstructured) -> arbitrary::Result<Args> {
+        let size = usize::arbitrary(un)? % MAX_SIZE;
+        let align_shift = u8::arbitrary(un)? % MAX_ALIGN_SHIFT;
+        let align = 1_usize << align_shift;
+        let layout = Layout::from_size_align(size, align).unwrap();
+        let ops = Vec::arbitrary(un)?;
+
+        Ok(Args { layout, ops })
+    }
+}
+
+fuzz_target!(|args: Args| {
+    let Args { layout, ops } = args;
+
+    let mut bump = match BumpSubject::new(layout) {
+        Ok(s) => s,
+        Err(_) => return,
+    };
+
+    let mut eval = alloc_hater::Evaluator::new(bump);
+    eval.evaluate(ops).unwrap();
+});
diff --git a/src/bump.rs b/src/bump.rs
@@ -44,7 +44,6 @@ use crate::Global;
 /// A bump allocator.
 pub struct Bump<A: BackingAllocator> {
     base: BasePtr,
-    limit: NonZeroUsize,
     low_mark: NonZeroUsize,
     outstanding: usize,
     layout: Layout,
@@ -76,7 +75,6 @@ impl Bump<Raw> {
         let lower_limit = self.low_mark;
         let lower = Bump {
             base: BasePtr::new(self.base.ptr(), lower_size),
-            limit: lower_limit,
             outstanding: 0,
             low_mark: lower_limit,
             layout: Layout::from_size_align(lower_size, 1).unwrap(),
@@ -87,7 +85,6 @@ impl Bump<Raw> {
         let new_base = BasePtr::new(self.base.with_addr(self.low_mark), upper_size);
         let upper = Bump {
             base: new_base,
-            limit: self.limit,
             low_mark: self.low_mark,
             outstanding: self.outstanding,
             // TODO: Alignment may be higher in some cases. Is that useful with Raw?
@@ -229,7 +226,7 @@ where
 
         if self.outstanding == 0 {
             // Reset the allocator.
-            self.low_mark = self.limit;
+            self.low_mark = self.base.limit();
         }
     }
 
@@ -241,14 +238,13 @@ where
     /// # Safety
     ///
     /// The caller must uphold the following invariants:
-    /// - No references to data allocated by this `Bump` may exist when the method
-    ///   is called.
-    /// - Any pointers to data previously allocated by this allocator may no
-    ///   longer be dereferenced or passed to [`Bump::deallocate()`].
+    /// - No references to data allocated by this `Bump` may exist when the method is called.
+    /// - Any pointers to data previously allocated by this allocator may no longer be dereferenced
+    ///   or passed to [`Bump::deallocate()`].
     ///
     /// [`Bump::deallocate()`]: Bump::deallocate
     pub unsafe fn reset(&mut self) {
-        self.low_mark = self.limit;
+        self.low_mark = self.base.limit();
     }
 
     /// Returns a pointer to the managed region.
@@ -283,7 +279,6 @@ where
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         f.debug_struct("Bump")
             .field("base", &self.base)
-            .field("limit", &self.limit)
             .field("low_mark", &self.low_mark)
             .finish()
     }
@@ -299,7 +294,6 @@ impl RawBump {
     fn with_backing_allocator<A: BackingAllocator>(self, backing_allocator: A) -> Bump<A> {
         Bump {
             base: self.base,
-            limit: self.limit,
             low_mark: self.limit,
             outstanding: 0,
             layout: self.layout,