Re: [PATCH v2 RFC 4/7] tools: add kfuzztest-bridge utility

Alexander Potapenko <glider@xxxxxxxxxx> · Wed, 3 Sep 2025 16:07:09 +0200

> +       fd = openat(AT_FDCWD, buf, O_WRONLY, 0);
> +       if (fd < 0)
> +               return fd;
> +
> +       bytes_written = write(fd, (void *)data, data_size);

We need a check for bytes_written == data_size here.
There's no way we can use a while-loop to ensure everything was
written (because the debugfs handler expects us to write the whole
packet at once), but at least a sanity check won't hurt.

> +       err = tokenize(input_fmt, &tokens, &num_tokens);
> +       if (err) {
> +               printf("tokenization failed: %s\n", strerror(-err));
> +               return err;
> +       }

I would probably make tokenization part of parse(), but that's up to you.

> +
> +       err = parse(tokens, num_tokens, &ast_prog);
> +       if (err) {
> +               printf("parsing failed: %s\n", strerror(-err));
> +               return err;
> +       }
> +
> +       rs = new_rand_stream(input_filepath, 1024);

You probably need to destroy this stream after use, like you destroy the buffer.
Same for the tokens.

> +
> +int append_bytes(struct byte_buffer *buf, const char *bytes, size_t num_bytes)
> +{
> +       size_t req_size;
> +       size_t new_size;
> +       char *new_ptr;
> +
> +       req_size = buf->num_bytes + num_bytes;
> +       new_size = buf->alloc_size;
> +
> +       while (req_size > new_size)
> +               new_size *= 2;
> +       if (new_size != buf->alloc_size) {
> +               new_ptr = realloc(buf->buffer, new_size);
> +               if (!buf->buffer)

You should be checking for !new_ptr here.

> +
> +static bool is_alpha(char c)
> +{
> +       return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z');
> +}
> +
> +static bool is_whitespace(char c)
> +{
> +       switch (c) {
> +       case ' ':
> +       case '\r':
> +       case '\t':
> +       case '\n':
> +               return true;
> +       default:
> +               return false;
> +       }
> +}
> +
> +static void skip_whitespace(struct lexer *l)
> +{
> +       for (;;) {
> +               if (is_whitespace(peek(l))) {
> +                       advance(l);
> +               } else {
> +                       return;
> +               }
> +       }
> +}

while (is_whitespace(peek(l))) {
    advance(l);
}

> --- /dev/null
> +++ b/tools/kfuzztest-bridge/input_parser.c
> @@ -0,0 +1,373 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Parser for KFuzzTest textual input format

Some description of the format would be useful here.

> + *
> + * Copyright 2025 Google LLC
> + */
> +#include <asm-generic/errno-base.h>
> +#include <stdio.h>
> +#include <string.h>
> +
> +#include "input_lexer.h"
> +#include "input_parser.h"
> +
> +#define MAX(a, b) ((a) > (b) ? (a) : (b))
> +
> +static struct token *peek(struct parser *p)
> +{
> +       return p->tokens[p->curr_token];
> +}
> +
> +static struct token *advance(struct parser *p)
> +{
> +       struct token *tok = peek(p);
> +       p->curr_token++;
> +       return tok;
> +}

It would be nice to check for p->token_count here.

> +       region->num_members = 0;
> +       while (!match(p, TOKEN_RBRACE)) {
> +               err = parse_type(p, &node);
> +               if (err)
> +                       goto fail;
> +               region->members = realloc(region->members, ++region->num_members * sizeof(struct ast_node *));

Missing a NULL check here.