infix
A JIT-Powered FFI Library for C
Loading...
Searching...
No Matches
Functions
fuzz_signature.c File Reference

A libFuzzer-based harness for the infix FFI signature parser. More...

#include <infix/infix.h>
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "fuzz_helpers.h"
Include dependency graph for fuzz_signature.c:

Functions

int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 The entry point called by the libFuzzer engine for each test case.
 

Detailed Description

A libFuzzer-based harness for the infix FFI signature parser.

Copyright (c) 2025 Sanko Robinson

This source code is dual-licensed under the Artistic License 2.0 or the MIT License. You may choose to use this code under the terms of either license.

SPDX-License-Identifier: (Artistic-2.0 OR MIT)

The documentation blocks within this file are licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0).

SPDX-License-Identifier: CC-BY-4.0

This harness is a critical security and stability component for the library. It targets the main entry points of the high-level signature API, which are responsible for parsing arbitrary user-provided strings.

The fuzzer's primary goal is to find inputs that cause memory safety violations (buffer overflows, use-after-free, memory leaks), crashes (segmentation faults, assertion failures from integer overflows), or hangs (infinite loops) within the parser logic.

Fuzzing Targets

This harness tests two key public API functions:

  1. **infix_signature_parse()**: This function parses a full function signature (arguments and return type). A successful parse results in a complex graph of infix_type objects allocated within a dedicated memory arena. The test verifies that if parsing succeeds, the entire arena can be safely destroyed without leaking memory.
  2. **infix_type_from_signature()**: This function parses a string representing a single data type. It follows the same test-and-destroy pattern as the full signature parser.

By fuzzing both functions, we ensure that all code paths within the recursive-descent parser are exercised with a wide variety of valid, invalid, and malicious inputs. This harness is intended to be compiled with Clang and run with AddressSanitizer (-fsanitize=address,fuzzer) to automatically detect memory errors.

Function Documentation

◆ LLVMFuzzerTestOneInput()

int LLVMFuzzerTestOneInput ( const uint8_t *  data,
size_t  size 
)

The entry point called by the libFuzzer engine for each test case.

The fuzzer engine repeatedly calls this function, providing a buffer of pseudo-random data. The function treats this data as a potential signature string and feeds it to the target functions. The fuzzer's goal is to find a data input that causes a crash or triggers a sanitizer error.

Parameters
dataA pointer to the raw byte buffer provided by the fuzzer.
sizeThe size of the data buffer in bytes.
Returns
An integer, which is unused by libFuzzer but required by the function signature.