fuzz: add syntactic structurally aware fuzzers

This makes uses of the new 'arbitrary' feature in 'regex-syntax' to make
fuzzing much more targeted and complete.

Closes #848

Author: addisoncrump

fuzz/.gitignore

@@ -1,3 +1,4 @@
 target
 corpus
 artifacts
+coverage

fuzz/Cargo.toml

@@ -1,18 +1,25 @@
 [package]
 name = "regex-fuzz"
 version = "0.0.0"
-authors = ["David Korczynski <david@adalogics.com>"]
+authors = [
+  "The Rust Project Developers",
+  "David Korczynski <david@adalogics.com>",
+  "Addison Crump <me@addisoncrump.info>",
+  "Andrew Gallant <jamslam@gmail.com>",
+]
 publish = false
 edition = "2021"
 
 [package.metadata]
 cargo-fuzz = true
 
 [dependencies]
+arbitrary = { version = "1.3.0", features = ["derive"] }
 libfuzzer-sys = { version = "0.4.1", features = ["arbitrary-derive"] }
 regex = { path = ".." }
 regex-automata = { path = "../regex-automata" }
 regex-lite = { path = "../regex-lite" }
+regex-syntax = { path = "../regex-syntax", features = ["arbitrary"] }
 
 # Prevent this from interfering with workspaces
 [workspace]
@@ -34,6 +41,22 @@ path = "fuzz_targets/fuzz_regex_automata_deserialize_dense_dfa.rs"
 name = "fuzz_regex_automata_deserialize_sparse_dfa"
 path = "fuzz_targets/fuzz_regex_automata_deserialize_sparse_dfa.rs"
 
+[[bin]]
+name = "ast_roundtrip"
+path = "fuzz_targets/ast_roundtrip.rs"
+
+[[bin]]
+name = "ast_fuzz_match"
+path = "fuzz_targets/ast_fuzz_match.rs"
+
+[[bin]]
+name = "ast_fuzz_regex"
+path = "fuzz_targets/ast_fuzz_regex.rs"
+
+[[bin]]
+name = "ast_fuzz_match_bytes"
+path = "fuzz_targets/ast_fuzz_match_bytes.rs"
+
 [profile.release]
 opt-level = 3
 debug = true

fuzz/fuzz_targets/ast_fuzz_match.rs

@@ -0,0 +1,30 @@
+#![no_main]
+
+use {
+    libfuzzer_sys::fuzz_target, regex::RegexBuilder, regex_syntax::ast::Ast,
+};
+
+#[derive(Eq, PartialEq, arbitrary::Arbitrary)]
+struct FuzzData {
+    ast: Ast,
+    haystack: String,
+}
+
+impl std::fmt::Debug for FuzzData {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut builder = f.debug_struct("FuzzData");
+        builder.field("ast", &format!("{}", self.ast));
+        builder.field("haystack", &self.haystack);
+        builder.finish()
+    }
+}
+
+fuzz_target!(|data: FuzzData| {
+    let pattern = format!("{}", data.ast);
+    let Ok(re) = RegexBuilder::new(&pattern).size_limit(1<<20).build() else {
+        return
+    };
+    re.is_match(&data.haystack);
+    re.find(&data.haystack);
+    re.captures(&data.haystack).map_or(0, |c| c.len());
+});

fuzz/fuzz_targets/ast_fuzz_match_bytes.rs

@@ -0,0 +1,31 @@
+#![no_main]
+
+use {
+    libfuzzer_sys::fuzz_target, regex::bytes::RegexBuilder,
+    regex_syntax::ast::Ast,
+};
+
+#[derive(arbitrary::Arbitrary, Eq, PartialEq)]
+struct FuzzData {
+    ast: Ast,
+    haystack: Vec<u8>,
+}
+
+impl std::fmt::Debug for FuzzData {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut builder = f.debug_struct("FuzzData");
+        builder.field("ast", &format!("{}", self.ast));
+        builder.field("haystack", &self.haystack);
+        builder.finish()
+    }
+}
+
+fuzz_target!(|data: FuzzData| {
+    let pattern = format!("{}", data.ast);
+    let Ok(re) = RegexBuilder::new(&pattern).size_limit(1<<20).build() else {
+        return
+    };
+    re.is_match(&data.haystack);
+    re.find(&data.haystack);
+    re.captures(&data.haystack).map_or(0, |c| c.len());
+});

fuzz/fuzz_targets/ast_fuzz_regex.rs

@@ -0,0 +1,23 @@
+#![no_main]
+
+use {
+    libfuzzer_sys::fuzz_target, regex::RegexBuilder, regex_syntax::ast::Ast,
+};
+
+#[derive(Eq, PartialEq, arbitrary::Arbitrary)]
+struct FuzzData {
+    ast: Ast,
+}
+
+impl std::fmt::Debug for FuzzData {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut builder = f.debug_struct("FuzzData");
+        builder.field("ast", &format!("{}", self.ast));
+        builder.finish()
+    }
+}
+
+fuzz_target!(|data: FuzzData| {
+    let pattern = format!("{}", data.ast);
+    RegexBuilder::new(&pattern).size_limit(1 << 20).build().ok();
+});

fuzz/fuzz_targets/ast_roundtrip.rs

@@ -0,0 +1,70 @@
+#![no_main]
+
+use {
+    libfuzzer_sys::{fuzz_target, Corpus},
+    regex_syntax::ast::{
+        parse::Parser, visit, Ast, Flag, Group, GroupKind, SetFlags, Visitor,
+    },
+};
+
+#[derive(Eq, PartialEq, arbitrary::Arbitrary)]
+struct FuzzData {
+    ast: Ast,
+}
+
+impl std::fmt::Debug for FuzzData {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut builder = f.debug_struct("FuzzData");
+        builder.field("ast", &format!("{}", self.ast));
+        builder.finish()
+    }
+}
+
+struct VerboseVisitor;
+
+impl Visitor for VerboseVisitor {
+    type Output = ();
+    type Err = ();
+
+    fn finish(self) -> Result<Self::Output, Self::Err> {
+        Ok(())
+    }
+
+    fn visit_pre(&mut self, ast: &Ast) -> Result<Self::Output, Self::Err> {
+        match ast {
+            Ast::Flags(SetFlags { flags, .. })
+            | Ast::Group(Group {
+                kind: GroupKind::NonCapturing(flags), ..
+            }) if flags
+                .flag_state(Flag::IgnoreWhitespace)
+                .unwrap_or(false) =>
+            {
+                Err(())
+            }
+            _ => Ok(()),
+        }
+    }
+}
+
+fuzz_target!(|data: FuzzData| -> Corpus {
+    let pattern = format!("{}", data.ast);
+    let Ok(ast) = Parser::new().parse(&pattern) else {
+        return Corpus::Keep;
+    };
+    if visit(&ast, VerboseVisitor).is_err() {
+        return Corpus::Reject;
+    }
+    let ast2 = Parser::new().parse(&ast.to_string()).unwrap();
+    assert_eq!(
+        ast,
+        ast2,
+        "Found difference:\
+         \nleft:  {:?}\
+         \nright: {:?}\
+         \nIf these two match, then there was a parsing difference; \
+           maybe non-determinism?",
+        ast.to_string(),
+        ast2.to_string()
+    );
+    Corpus::Keep
+});