Revise chewing fuzzer

1. Specify unique name for temp userdb. So we can run multiple fuzzers
   at the same time.
2. Reorganized as three fuzzers for different variants. So we can
   prioritize easily (default first, dynamic config last)

Author: kcwu

libchewing/Dockerfile

@@ -19,4 +19,4 @@ MAINTAINER kcwu@csie.org
 RUN apt-get install -y make autoconf automake libtool texinfo
 
 RUN git clone https://github.com/chewing/libchewing.git
-COPY build.sh chewing_fuzzer.c /src/
+COPY build.sh chewing_fuzzer_common.[ch] chewing_*_fuzzer.c /src/

libchewing/build.sh

@@ -25,11 +25,13 @@ make clean all
 # build your fuzzer(s)
 make -C test CFLAGS="$CFLAGS -Dmain=stress_main -Drand=get_fuzz_input" stress.o
 
-$CC $CFLAGS \
-    -o /out/chewing_fuzzer \
-    /src/chewing_fuzzer.c \
-    test/stress.o test/.libs/libtesthelper.a src/.libs/libchewing.a \
-    -lfuzzer $FUZZER_LDFLAGS
+for variant in default random_init dynamic_config; do
+    $CC $CFLAGS \
+	-o /out/chewing_${variant}_fuzzer \
+	/src/chewing_${variant}_fuzzer.c /src/chewing_fuzzer_common.c \
+	test/stress.o test/.libs/libtesthelper.a src/.libs/libchewing.a \
+	-lfuzzer $FUZZER_LDFLAGS
+done
 
 # install data files
 make -C data pkgdatadir=/out install

libchewing/chewing_default_fuzzer.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+
+#include "chewing_fuzzer_common.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  fuzz_input = fuzz_ptr = data;
+  fuzz_size = size;
+
+  const char* stress_argv[] = {
+      "./chewing_fuzzer", "-loop", "1", NULL,
+  };
+  stress_main(sizeof(stress_argv) / sizeof(stress_argv[0]) - 1,
+              (char**)stress_argv);
+  return 0;
+}

libchewing/chewing_dynamic_config_fuzzer.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+
+#include "chewing_fuzzer_common.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  fuzz_input = fuzz_ptr = data;
+  fuzz_size = size;
+
+  const char* stress_argv[] = {
+      "./chewing_fuzzer", "-loop", "1", "-extra", NULL,
+  };
+  stress_main(sizeof(stress_argv) / sizeof(stress_argv[0]) - 1,
+              (char**)stress_argv);
+  return 0;
+}

libchewing/chewing_fuzzer.c

@@ -0,0 +1,26 @@
+#include "chewing_fuzzer_common.h"
+
+#include <libgen.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+static char userphrase_path[] = "/tmp/chewing_userphrase.db.XXXXXX";
+
+int LLVMFuzzerInitialize(int* argc, char*** argv) {
+  char* exe_path = (*argv)[0];
+  char* dir = dirname(exe_path);
+  // Assume data files are at the same location as executable.
+  setenv("CHEWING_PATH", dir, 0);
+
+  // Specify user db of this process. So we can run multiple fuzzers at the
+  // same time.
+  mktemp(userphrase_path);
+  setenv("TEST_USERPHRASE_PATH", userphrase_path, 0);
+  return 0;
+}
+
+int get_fuzz_input() {
+  if (fuzz_ptr - fuzz_input >= fuzz_size)
+    return EOF;
+  return *fuzz_ptr++;
+}

libchewing/chewing_fuzzer_common.c

@@ -0,0 +1,13 @@
+#ifndef CHEWING_FUZZER_COMMON_H
+#define CHEWING_FUZZER_COMMON_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+const uint8_t* fuzz_ptr;
+const uint8_t* fuzz_input;
+size_t fuzz_size;
+
+int stress_main(int argc, char** argv);
+
+#endif

libchewing/chewing_fuzzer_common.h

@@ -0,0 +1,15 @@
+#include <stdio.h>
+
+#include "chewing_fuzzer_common.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  fuzz_input = fuzz_ptr = data;
+  fuzz_size = size;
+
+  const char* stress_argv[] = {
+      "./chewing_fuzzer", "-loop", "1", "-init", "-extra", NULL,
+  };
+  stress_main(sizeof(stress_argv) / sizeof(stress_argv[0]) - 1,
+              (char**)stress_argv);
+  return 0;
+}