fuzz: Add a subcommand for generating corpus input

Author: tgross35

Cargo.toml

@@ -23,6 +23,10 @@ smallvec = { version = "1.11.0", features = ["const_generics", "union"] }
 [dev-dependencies]
 criterion = { version = "0.5.1", features = ["html_reports"] }
 
+# Speed up some things like decoding and corpus generation
+[profile.dev.package.rustc_apfloat-fuzz]
+opt-level = 1
+
 [[bench]]
 name = "decimal"
 harness = false

README.md

@@ -87,6 +87,8 @@ on other platforms, or even some Linux distros, though it mostly assumes UNIX.
 There is a justfile that makes this easy:
 
 ```sh
+# Create the corpus
+just gen
 # Build and run fuzzing
 just fuzz
 # Do the same thing but use more cores
@@ -104,12 +106,14 @@ cargo install cargo-afl
 # Build the fuzzing binary (`target/release/rustc_apfloat-fuzz`).
 cargo afl build -p rustc_apfloat-fuzz --release
 
-# Seed the inputs for a run `foo` (while not ideal, even this one minimal input works).
-mkdir fuzz/in-foo && echo > fuzz/in-foo/empty
+# Seed the inputs for a run `foo`
+cargo run -p rustc_apfloat-fuzz -- corpus fuzz/runs/in-unmin
+# Minimize the results (optional but recommended)
+cargo afl cmin -i fuzz/runs/in-unmin -o fuzz/runs/in -T "$(nproc)" target/release/rustc_apfloat-fuzz
 
 # Start the fuzzing run `foo`, which should bring up the AFL++ progress TUI
 # (see also `cargo run -p rustc_apfloat-fuzz` for extra flags available).
-cargo afl fuzz -i fuzz/run/in-foo -o fuzz/run/out-foo target/release/rustc_apfloat-fuzz
+cargo afl fuzz -i fuzz/runs/in -o fuzz/runs/out-foo target/release/rustc_apfloat-fuzz
 ```
 
 To visualize the fuzzing testcases, you can use the `decode` subcommand:

fuzz/src/corpus.rs

@@ -0,0 +1,140 @@
+use std::fmt::{self, Write as _};
+use std::fs;
+use std::io::Write;
+use std::path::Path;
+
+use num_traits::ToPrimitive;
+use rustc_apfloat::{Float, Round};
+
+use crate::{Args, Error, FloatRepr, Op, decode_eval_check, for_each_repr, round_to_u8};
+
+const ROUND_ALL: &[Round] = &[
+    Round::NearestTiesToEven,
+    Round::TowardPositive,
+    Round::TowardNegative,
+    Round::TowardZero,
+    Round::NearestTiesToAway,
+];
+
+/// Create baseline inputs for the fuzzer to start with. It will start applying mutations to these
+/// inputs.
+///
+/// This creates the cartesian product of the following:
+///
+/// * All float types
+/// * All operations
+/// * All rounding modes
+/// * A small list of possible inputs, applied to each argument.
+///
+/// This creates a _lot_ of files, so running `cmin` after helps give the fuzzer less input to
+/// work with.
+pub fn generate(dir: &Path) {
+    fs::create_dir_all(&dir).unwrap();
+    let mut total = 0;
+
+    for_each_repr!(for F in all_reprs!() {
+        let count = gen_for_f::<F>(dir);
+        total += count;
+    });
+
+    eprintln!("wrote {total} total files to `{}`", dir.display());
+    eprintln!("note that it is recommended to run `cargo afl cmin` (`just gen` handles this)");
+}
+
+fn gen_for_f<F: FloatRepr>(dir: &Path) -> u64 {
+    let mut buf = Vec::new();
+    let mut name = String::new();
+
+    // There is no `ONE` constant, so this works.
+    let one = (F::RustcApFloat::SMALLEST / F::RustcApFloat::SMALLEST).value;
+    let inputs = [
+        F::RustcApFloat::ZERO,
+        F::RustcApFloat::INFINITY,
+        -F::RustcApFloat::ZERO,
+        -F::RustcApFloat::INFINITY,
+        F::RustcApFloat::qnan(None),
+        F::RustcApFloat::snan(None),
+        F::RustcApFloat::largest(),
+        F::RustcApFloat::SMALLEST,
+        F::RustcApFloat::smallest_normalized(),
+        one,
+    ];
+    let mut count = 0;
+    let flt_name = F::short_lowercase_name();
+
+    // We don't need to test anything here, just use `cli_args` for config.
+    let mut cli_args = Args::default();
+    cli_args.ignore_cxx = true;
+    cli_args.ignore_hard = true;
+
+    for op in Op::ALL.iter().copied() {
+        for rm in ROUND_ALL.iter().copied() {
+            let mut write_one = |a: F, b: F, c: F, input_desc: fmt::Arguments| {
+                buf.clear();
+                name.clear();
+
+                write!(name, "{flt_name}-{op:?}-{rm:?}-{input_desc}").unwrap();
+
+                buf.push(F::KIND.to_u8().unwrap());
+                buf.push(op.to_u8().unwrap());
+                buf.push(round_to_u8(rm));
+
+                for arg in [a, b, c].iter().take(op.airity() as usize) {
+                    arg.write_as_le_bytes_into(&mut buf);
+                }
+
+                // Verify that the created input parses correctly. We don't need to do the
+                // evaluation check, running the fuzzer will handle that.
+                match decode_eval_check(&buf, &cli_args, false) {
+                    Ok(()) | Err(Error::Check(_)) => (),
+                    Err(Error::Decode(e)) => panic!("error decoding: {e}"),
+                }
+
+                let mut f = fs::OpenOptions::new()
+                    .create(true)
+                    .write(true)
+                    .truncate(true)
+                    .open(dir.join(&name))
+                    .unwrap();
+                f.write_all(&mut buf).unwrap();
+                count += 1;
+            };
+
+            let airity = op.airity() as u8;
+            for (ai, a) in inputs.iter().enumerate() {
+                if airity == 1 {
+                    write_one(
+                        F::from_ap(*a),
+                        F::from_bits_u128(0),
+                        F::from_bits_u128(0),
+                        format_args!("{ai}"),
+                    )
+                } else {
+                    for (bi, b) in inputs.iter().enumerate() {
+                        if airity == 2 {
+                            write_one(
+                                F::from_ap(*a),
+                                F::from_ap(*b),
+                                F::from_bits_u128(0),
+                                format_args!("{ai}-{bi}"),
+                            )
+                        } else {
+                            assert_eq!(airity, 3);
+                            for (ci, c) in inputs.iter().enumerate() {
+                                write_one(
+                                    F::from_ap(*a),
+                                    F::from_ap(*b),
+                                    F::from_ap(*c),
+                                    format_args!("{ai}-{bi}-{ci}"),
+                                )
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    eprintln!("{flt_name}: wrote {count} files");
+    count
+}

fuzz/src/exhaustive.rs

@@ -18,7 +18,7 @@ use crate::for_each_repr;
 
 pub fn run_for_all_floats(cli_args: &Args) {
     let mut any_mismatches = false;
-    for_each_repr!(for F in all_floats!() {
+    for_each_repr!(for F in all_reprs!() {
         any_mismatches |= run_exhaustive::<F>(&cli_args).is_err();
     });
 

fuzz/src/main.rs

@@ -3,6 +3,7 @@
 #![allow(internal_features)] // for the below config
 #![feature(cfg_target_has_reliable_f16_f128)]
 
+mod corpus;
 mod exhaustive;
 mod host;
 
@@ -20,7 +21,7 @@ use rustc_apfloat::{Float, FloatConvert, Round, Status, StatusAnd, ieee};
 
 use crate::host::HostFloat;
 
-#[derive(Clone, Parser, Debug)]
+#[derive(Clone, Parser, Debug, Default)]
 struct Args {
     /// Disable comparison with C++ (LLVM's original) APFloat
     #[arg(long)]
@@ -57,6 +58,11 @@ enum Commands {
         /// The file to check. If unspecified or `-`, read from stdin.
         file: Option<PathBuf>,
     },
+    /// Construct a test corpus in the specified directory
+    Corpus {
+        /// The file to check. If unspecified or `-`, read from stdin.
+        outdir: PathBuf,
+    },
     /// Decode fuzzing in/out testcases (binary serialized `FuzzOp`s)
     Decode { files: Vec<PathBuf> },
 
@@ -106,6 +112,7 @@ fn main() {
                 reader.read_to_end(&mut buf).unwrap();
                 fuzz_check(&buf, true);
             }
+            Commands::Corpus { outdir } => corpus::generate(&outdir),
             Commands::Decode { files } => run_decode_subcmd(files, &cli_args),
             Commands::Bruteforce { .. } => exhaustive::run_for_all_floats(&cli_args),
         }
@@ -176,6 +183,7 @@ trait FloatRepr: Copy + Default + Eq + fmt::Display + fmt::Debug {
 
     // FIXME(const) `[u8; Self::BYTE_LEN]` would be better but requires MGCA.
     fn from_le_bytes(bytes: &[u8]) -> Self;
+    fn write_as_le_bytes_into(self, out_bytes: &mut Vec<u8>);
 
     fn to_bits_u128(self) -> u128;
     fn from_bits_u128(bits: u128) -> Self;
@@ -197,7 +205,7 @@ macro_rules! float_reprs {
         $(type HardFloat = $hard_float_ty:ty;)?
     })+) => {
         macro_rules! for_each_repr {
-            (for $ty_var:ident in all_floats!() $block:block) => {
+            (for $ty_var:ident in all_reprs!() $block:block) => {
                 $({
                    type $ty_var = $crate::$name;
                    $block
@@ -233,6 +241,9 @@ macro_rules! float_reprs {
                     );
                     Self(<$repr>::from_le_bytes(repr_bytes))
                 }
+                fn write_as_le_bytes_into(self, out_bytes: &mut Vec<u8>) {
+                    out_bytes.extend(&self.0.to_le_bytes()[..Self::BYTE_LEN]);
+                }
 
                 fn to_bits_u128(self) -> u128 {
                     self.0.into()
@@ -339,7 +350,7 @@ float_reprs! {
 
 pub(crate) use for_each_repr;
 
-#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, FromPrimitive)]
+#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, FromPrimitive, ToPrimitive)]
 pub enum FpKind {
     // The tag is based on the bit count. These are specified so corpus inputs are stable.
     Ieee16 = 16,
@@ -365,10 +376,6 @@ impl FpKind {
         Self::BrainF16,
         Self::X87_F80,
     ];
-
-    pub fn to_u8(self) -> u8 {
-        self as u8
-    }
 }
 
 /// A testable operation, which can be encoded as a byte.

justfile

@@ -1,8 +1,11 @@
 # Allow overriding the fuzz directories
+fuzz_in_unmin := env("FUZZ_IN_UNMIN", "fuzz/runs/in-unmin")
 fuzz_in := env("FUZZ_IN", "fuzz/runs/in")
 fuzz_out := env("FUZZ_OUT", "fuzz/runs/out")
+fuzz_bin := env("FUZZ_BIN", "target/release/rustc_apfloat-fuzz")
 
 alias f := fuzz
+alias fb := fuzz-build
 alias fp := fuzz-parallel
 alias fa := fuzz-attach
 alias fq := fuzz-parallel-quit
@@ -17,17 +20,27 @@ test:
     cargo test --workspace
 
 # Create directories and build the executable, but don't start fuzzing.
-_fuzz-setup:
+fuzz-build:
     mkdir -p "{{ fuzz_in }}"
     echo > "{{ fuzz_in }}/empty"
     cargo afl build -p rustc_apfloat-fuzz --release
 
+# Generate a corpus for fuzzing then run `cmin`
+gen: fuzz-build
+    rm -rf "{{ fuzz_in_unmin }}" "{{ fuzz_in }}"
+    cargo run -p rustc_apfloat-fuzz -- corpus "{{ fuzz_in_unmin }}"
+    cargo afl cmin \
+        -i "{{ fuzz_in_unmin }}" \
+        -o "{{ fuzz_in }}" \
+        -T "{{ num_cpus() }}" \
+        "{{ fuzz_bin }}"
+
 # Build the instrumented executable and fuzz it. See also: `fuzz-parallel`.
-fuzz: _fuzz-setup
-    cargo afl fuzz -i "{{ fuzz_in }}" -o "{{ fuzz_out }}" target/release/rustc_apfloat-fuzz
+fuzz: fuzz-build
+    cargo afl fuzz -i "{{ fuzz_in }}" -o "{{ fuzz_out }}" "{{ fuzz_bin }}"
 
 # Start fuzzing in parallel. Note this must be stopped with fuzz-parallel-quit (see fuzz-parallel.sh).
-fuzz-parallel *args: _fuzz-setup
+fuzz-parallel *args: fuzz-build
     etc/fuzz-parallel.sh {{ args }}
 
 # Attach to a running parallel fuzz session