Fix crashes found by fuzzing and improve fuzzing utilities (#158)

* fix: crash on redefine of define with no content

* fix: crash on reverse redefine with no content

* fix: crash on import all with no import name

* impr: fuzzing tooling

Author: jumanji144

fuzz/README.md

@@ -29,6 +29,19 @@ afl-fuzz -i inputs -o output -x ./dict/hexpat.dict -- ./plfuzz @@
 ```
 This will run a simple fuzzing session with the inputs in the `inputs` folder and outputting to the `output` folder.
 
+### Minimization
+
+To minimize the found crashes, you can simpy use the `afl-tmin` tool that comes with AFL++.
+Here is an example of how to minimize a crash:
+```bash
+afl-tmin -i output/crashes/<crash_file> -o output/minimized/<crash_file> -- ./plfuzz @@
+```
+
+We also provide a small script to minimize all crashes in the `output/crashes` folder:
+```bash
+python3 afl-pytmin.py output/crashes output/minimized ./plfuzz
+```
+
 ### Debugging
 During the session, if the fuzzer finds crashes or halts, it will output the crashing input to the
 `output/crashes` or `output/hangs` folder.   

fuzz/afl-pytmin.py

@@ -0,0 +1,94 @@
+#!/env/python
+# Adapted from https://github.com/ilsani/afl-pytmin/tree/master
+# ALL RIGHTS RESERVED TO THE ORIGINAL AUTHOR
+#
+# python afl-pytmin.py <input-dir> <output-dir> <harness-bin>
+#
+
+import sys
+import os
+import subprocess
+
+from queue import Queue
+from threading import Thread
+
+AFL_TMIN_CMD = "afl-tmin"
+
+def tmin(workerid, queue, output_dirname, harness_bin):
+
+    while True:
+
+        data = queue.get()
+        filename = data["filename"]
+        counter = data["counter"]
+
+        output_path = "%s/%d" %(output_dirname, counter)
+
+        args = [
+            AFL_TMIN_CMD,
+            "-i",
+            filename,
+            "-o",
+            output_path,
+            "-t",
+            "3000",
+            "-m",
+            "4096",
+            "--",
+            harness_bin,
+            "@@"
+        ]
+
+        print("[i] Processing %s file ... " %(filename))
+
+        with open(os.devnull, 'w') as devnull:
+            p = subprocess.Popen(args, stdout=devnull, stderr=devnull, shell=False)
+            # p.communicate()
+            p.wait()
+
+        # p.stdout.close()
+
+        queue.task_done()
+
+def read_filename(input_dirname):
+
+    for f in os.listdir(input_dirname):
+        yield ("%s/%s" %(input_dirname, f)).strip()
+
+def main():
+
+    try:
+
+        n_cores = 5
+        input_dirname = sys.argv[1]
+        output_dirname = sys.argv[2]
+        harness_bin = sys.argv[3]
+
+        if not os.path.exists(output_dirname):
+            os.makedirs(output_dirname)
+
+        queue = Queue()
+
+        # Set up some threads
+        for i in range(n_cores):
+            worker = Thread(target=tmin, args=(i, queue, output_dirname, harness_bin, ))
+            worker.setDaemon(True)
+            worker.start()
+
+        # Fill the queue
+        counter = 0
+        for filename in read_filename(input_dirname):
+
+            data = { "filename": filename,
+                     "counter": counter }
+
+            queue.put(data)
+            counter = counter + 1
+
+        queue.join()
+
+    except Exception as e:
+        print("[!] Error: %s" %(str(e)))
+
+if __name__ == "__main__":
+    main()

lib/include/pl/core/preprocessor.hpp

@@ -140,7 +140,12 @@ namespace pl::core {
         std::unordered_map<Token::Directive, api::DirectiveHandler> m_directiveHandlers;
         std::unordered_map<Token::Keyword, api::StatementHandler> m_statementHandlers;
 
-        std::unordered_map<std::string, std::vector<Token>> m_defines;
+        struct Define {
+            Token nameToken;
+            std::vector<Token> values;
+        };
+
+        std::unordered_map<std::string, Define> m_defines;
         std::unordered_map<std::string, std::vector<std::pair<std::string, u32>>> m_pragmas;
         std::vector<ExcludedLocation> m_excludedLocations;
 

lib/source/pl/core/preprocessor.cpp

@@ -178,17 +178,34 @@ namespace pl::core {
         }
 
         if (m_defines.contains(name)) {
-            bool isValueSame = m_defines[name] == values;
+            bool isValueSame = m_defines[name].values == values;
             if (!isValueSame) {
-                errorAt(values[0].location, "Previous definition occurs at line '{}'.", m_defines[name][0].location.line);
-                errorAt(m_defines[name][0].location, "Macro '{}' is redefined in line '{}'.", name, values[0].location.line);
-                m_defines[name].clear();
-                m_defines[name] = values;
+                auto& define = m_defines[name];
+                Location defineLocation{};
+
+                if (define.values.empty()) {
+                    defineLocation = define.nameToken.location;
+                } else {
+                    defineLocation = define.values[0].location;
+                }
+
+                Location ourLocation{};
+                if (values.empty()) {
+                    ourLocation = token.location;
+                } else {
+                    ourLocation = values[0].location;
+                }
+
+                errorAt(ourLocation, "Previous definition occurs at line '{}'.", defineLocation.line);
+                errorAt(defineLocation, "Macro '{}' is redefined in line '{}'.", name, defineLocation.line);
+
+                m_defines[name] = { token, values };
+
                 removeKey(token);
                 m_keys.emplace_back(token);
             }
         } else {
-            m_defines[name] = values;
+            m_defines[name] = { token, values };
             m_keys.emplace_back(token);
         }
     }
@@ -340,7 +357,7 @@ namespace pl::core {
         if (auto *tokenLiteral = std::get_if<Token::Literal>(&m_token->value); m_token->type == Token::Type::String && tokenLiteral != nullptr) {
             path = tokenLiteral->toString(false);
 
-        } else if (auto *identifier = std::get_if<Token::Identifier>(&m_token->value); m_token->type == Token::Type::Identifier) {
+        } else if (auto *identifier = std::get_if<Token::Identifier>(&m_token->value); m_token->type == Token::Type::Identifier && identifier != nullptr) {
             saveImport.push_back(*m_token);
             path = identifier->get();
             m_token++;
@@ -476,7 +493,7 @@ namespace pl::core {
                         Token::Identifier *tokenIdentifier = std::get_if<Token::Identifier>(&m_token->value);
                         if (tokenIdentifier != nullptr)
                             tokenIdentifier->setType(Token::Identifier::IdentifierType::Macro);
-                        for (const auto &newToken: m_defines[keyIdentifier->get()])
+                        for (const auto &newToken: m_defines[keyIdentifier->get()].values)
                             resultValues.push_back(newToken);
                     } else
                         resultValues.push_back(value);
@@ -614,7 +631,9 @@ namespace pl::core {
     }
 
     void Preprocessor::addDefine(const std::string &name, const std::string &value) {
-        m_defines[name] = {Token { Token::Type::String, value, {nullptr, 0, 0, 0 } } } ;
+        auto nameToken = Token { Token::Type::Identifier, name, Location::Empty() };
+        auto valueToken = Token { Token::Type::String, value, Location::Empty() };
+        m_defines[name] = { nameToken, { valueToken }};
     }
 
     void Preprocessor::addPragmaHandler(const std::string &pragmaType, const api::PragmaHandler &handler) {