Add a tiny fuzz test framework (#9050)

* Add a Homebrew-compatible toolchain file
* Manage libfuzzer flags from toolchain settings
* Add stdlib-based fuzzer
* Makefile support for fuzz tests
* Make random numbers reproducible across platforms

Author: alexreinking

CMakePresets.json

@@ -188,6 +188,20 @@
         "Halide_LLVM_ROOT": "/opt/homebrew/opt/llvm"
       }
     },
+    {
+      "name": "macOS-fuzz",
+      "displayName": "macOS (Fuzz)",
+      "description": "macOS fuzzing build",
+      "inherits": "macOS",
+      "toolchainFile": "${sourceDir}/cmake/toolchain.macos-homebrew.cmake",
+      "cacheVariables": {
+        "CMAKE_C_FLAGS": "-fsanitize=fuzzer-no-link -O1 -g3",
+        "CMAKE_CXX_FLAGS": "-fsanitize=fuzzer-no-link -O1 -g3",
+        "CMAKE_EXE_LINKER_FLAGS": "-fsanitize=fuzzer",
+        "CMAKE_MODULE_LINKER_FLAGS": "-fsanitize=fuzzer",
+        "CMAKE_SHARED_LINKER_FLAGS": "-fsanitize=fuzzer"
+      }
+    },
     {
       "name": "macOS-vcpkg",
       "inherits": [

Makefile

@@ -1284,6 +1284,7 @@ PERFORMANCE_TESTS = $(shell ls $(ROOT_DIR)/test/performance/*.cpp)
 ERROR_TESTS = $(shell ls $(ROOT_DIR)/test/error/*.cpp)
 WARNING_TESTS = $(shell ls $(ROOT_DIR)/test/warning/*.cpp)
 RUNTIME_TESTS = $(shell ls $(ROOT_DIR)/test/runtime/*.cpp)
+FUZZ_TESTS = $(filter-out %halide_fuzz_main.cpp, $(shell ls $(ROOT_DIR)/test/fuzz/*.cpp))
 GENERATOR_EXTERNAL_TESTS := $(shell ls $(ROOT_DIR)/test/generator/*test.cpp)
 GENERATOR_EXTERNAL_TEST_GENERATOR := $(shell ls $(ROOT_DIR)/test/generator/*_generator.cpp)
 TUTORIALS = $(filter-out %_generate.cpp, $(shell ls $(ROOT_DIR)/tutorial/*.cpp))
@@ -1297,6 +1298,7 @@ test_performance: $(PERFORMANCE_TESTS:$(ROOT_DIR)/test/performance/%.cpp=perform
 test_error: $(ERROR_TESTS:$(ROOT_DIR)/test/error/%.cpp=error_%)
 test_warning: $(WARNING_TESTS:$(ROOT_DIR)/test/warning/%.cpp=warning_%)
 test_runtime: $(RUNTIME_TESTS:$(ROOT_DIR)/test/runtime/%.cpp=runtime_%)
+test_fuzz: $(FUZZ_TESTS:$(ROOT_DIR)/test/fuzz/%.cpp=fuzz_%)
 test_tutorial: $(TUTORIALS:$(ROOT_DIR)/tutorial/%.cpp=tutorial_%)
 test_valgrind: $(CORRECTNESS_TESTS:$(ROOT_DIR)/test/correctness/%.cpp=valgrind_%)
 test_avx512: $(CORRECTNESS_TESTS:$(ROOT_DIR)/test/correctness/%.cpp=avx512_%)
@@ -1392,6 +1394,7 @@ build_tests: $(CORRECTNESS_TESTS:$(ROOT_DIR)/test/correctness/%.cpp=$(BIN_DIR)/c
 	$(ERROR_TESTS:$(ROOT_DIR)/test/error/%.cpp=$(BIN_DIR)/error_%) \
 	$(WARNING_TESTS:$(ROOT_DIR)/test/warning/%.cpp=$(BIN_DIR)/warning_%) \
 	$(RUNTIME_TESTS:$(ROOT_DIR)/test/runtime/%.cpp=$(BIN_DIR)/runtime_%) \
+	$(FUZZ_TESTS:$(ROOT_DIR)/test/fuzz/%.cpp=$(BIN_DIR)/fuzz_%) \
 	$(GENERATOR_EXTERNAL_TESTS:$(ROOT_DIR)/test/generator/%_aottest.cpp=$(BIN_DIR)/$(TARGET)/generator_aot_%) \
 	$(GENERATOR_EXTERNAL_TESTS:$(ROOT_DIR)/test/generator/%_jittest.cpp=$(BIN_DIR)/generator_jit_%) \
 	$(MULLAPUDI2016_TESTS:$(ROOT_DIR)/test/autoschedulers/mullapudi2016/%.cpp=$(BIN_DIR)/mullapudi2016_%) \
@@ -1470,6 +1473,9 @@ $(BIN_DIR)/$(TARGET)/correctness_opencl_runtime: $(ROOT_DIR)/test/correctness/op
 $(BIN_DIR)/performance_%: $(ROOT_DIR)/test/performance/%.cpp $(TEST_DEPS)
 	$(CXX) $(TEST_CXX_FLAGS) $(OPTIMIZE) $< -I$(INCLUDE_DIR) -I$(ROOT_DIR)/src/runtime -I$(ROOT_DIR)/test/common $(TEST_LD_FLAGS) -o $@
 
+$(BIN_DIR)/fuzz_%: $(ROOT_DIR)/test/fuzz/%.cpp $(ROOT_DIR)/test/fuzz/halide_fuzz_main.cpp $(ROOT_DIR)/test/fuzz/fuzz_helpers.h $(ROOT_DIR)/test/fuzz/halide_fuzz_main.h $(TEST_DEPS)
+	$(CXX) $(TEST_CXX_FLAGS) -I$(ROOT_DIR)/src/runtime -I$(ROOT_DIR)/test/common $(OPTIMIZE_FOR_BUILD_TIME) $(filter %.cpp,$^) -I$(INCLUDE_DIR) $(TEST_LD_FLAGS) -o $@ -DHALIDE_FUZZER_BACKEND=0
+
 # Error tests that link against libHalide
 $(BIN_DIR)/error_%: $(ROOT_DIR)/test/error/%.cpp $(TEST_DEPS)
 	$(CXX) $(TEST_CXX_FLAGS) -I$(ROOT_DIR)/src/runtime -I$(ROOT_DIR)/test/common $(OPTIMIZE_FOR_BUILD_TIME) $< -I$(INCLUDE_DIR) $(TEST_LD_FLAGS) -o $@
@@ -2063,6 +2069,11 @@ quiet_correctness_%: $(BIN_DIR)/correctness_%
 	@-mkdir -p $(TMP_DIR)
 	@cd $(TMP_DIR) ; ( $(CURDIR)/$< 2>stderr_$*.txt > stdout_$*.txt && echo -n . ) || ( echo ; echo FAILED TEST: $* ; cat stdout_$*.txt stderr_$*.txt ; false )
 
+fuzz_%: $(BIN_DIR)/fuzz_%
+	@-mkdir -p $(TMP_DIR)
+	cd $(TMP_DIR) ; $(CURDIR)/$<
+	@-echo
+
 valgrind_%: $(BIN_DIR)/correctness_%
 	@-mkdir -p $(TMP_DIR)
 	cd $(TMP_DIR) ; valgrind --error-exitcode=-1 $(CURDIR)/$<

cmake/toolchain.macos-homebrew.cmake

@@ -0,0 +1,37 @@
+cmake_minimum_required(VERSION 3.28)
+
+set(CMAKE_C_COMPILER /opt/homebrew/opt/llvm@21/bin/clang)
+set(CMAKE_CXX_COMPILER /opt/homebrew/opt/llvm@21/bin/clang++)
+
+if (NOT DEFINED CMAKE_SYSROOT)
+    execute_process(
+        COMMAND xcrun --show-sdk-path
+        OUTPUT_VARIABLE CMAKE_SYSROOT
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+        COMMAND_ERROR_IS_FATAL ANY)
+endif ()
+
+set(CMAKE_SYSROOT "${CMAKE_SYSROOT}" CACHE PATH "")
+
+if (NOT DEFINED XC_TOOLCHAIN_PATH)
+    execute_process(
+        COMMAND xcrun --find clang
+        OUTPUT_VARIABLE XC_TOOLCHAIN_PATH
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+        COMMAND_ERROR_IS_FATAL ANY)
+    cmake_path(SET XC_TOOLCHAIN_PATH NORMALIZE "${XC_TOOLCHAIN_PATH}/../../..")
+endif ()
+
+set(XC_TOOLCHAIN_PATH "${XC_TOOLCHAIN_PATH}" CACHE PATH "")
+
+set(CMAKE_C_STANDARD_INCLUDE_DIRECTORIES
+    "${CMAKE_SYSROOT}/usr/include"
+    "${XC_TOOLCHAIN_PATH}/usr/include"
+    "${CMAKE_SYSROOT}/System/Library/Frameworks"
+    "${CMAKE_SYSROOT}/System/Library/SubFrameworks"
+)
+
+set(CMAKE_CXX_STANDARD_INCLUDE_DIRECTORIES
+    "${CMAKE_SYSROOT}/usr/include/c++/v1"
+    ${CMAKE_C_STANDARD_INCLUDE_DIRECTORIES}
+)

run-clang-tidy.sh

@@ -111,27 +111,7 @@ export CMAKE_EXPORT_COMPILE_COMMANDS=ON
 export Halide_LLVM_ROOT="${CLANG_TIDY_LLVM_INSTALL_DIR}"
 
 if [[ $(${CC} --version) =~ .*Homebrew.* ]]; then
-    # Homebrew clang 21 is badly misconfigured and needs help finding the
-    # system headers, even though it uses system libc++ by default.
-    SDKROOT="$(xcrun --show-sdk-path)"
-    # TOOLCHAINROOT="$(xcrun --show-toolchain-path)"
-    TOOLCHAINROOT="$(cd "$(dirname "$(xcrun --find clang)")"/../.. && pwd)"
-    RCDIR="$(xcrun clang -print-resource-dir)"
-    cat >"${CLANG_TIDY_BUILD_DIR}/toolchain.cmake" <<EOF
-set(CMAKE_SYSROOT "${SDKROOT}")
-set(CMAKE_C_STANDARD_INCLUDE_DIRECTORIES
-    "${RCDIR}/include"
-    "${SDKROOT}/usr/include"
-    "${TOOLCHAINROOT}/usr/include"
-    "${SDKROOT}/System/Library/Frameworks"
-    "${SDKROOT}/System/Library/SubFrameworks"
-)
-set(CMAKE_CXX_STANDARD_INCLUDE_DIRECTORIES
-    "${SDKROOT}/usr/include/c++/v1"
-    \${CMAKE_C_STANDARD_INCLUDE_DIRECTORIES}
-)
-EOF
-    export CMAKE_TOOLCHAIN_FILE="${CLANG_TIDY_BUILD_DIR}/toolchain.cmake"
+    export CMAKE_TOOLCHAIN_FILE="${ROOT_DIR}/cmake/toolchain.macos-homebrew.cmake"
 fi
 
 echo Configuring Halide...

src/Bounds.cpp

@@ -198,7 +198,11 @@ class Bounds : public IRVisitor {
         void log_line(Args &&...args) {
             debug(0) << self->log_spaces();
             // C++17 right fold
-            (debug(0) << ... << args) << "\n";
+            auto dump = [](auto &&arg) {
+                debug(0) << arg;
+            };
+            (dump(args), ...);
+            debug(0) << "\n";
         }
 
         ~BoundsLogger() {
@@ -2144,7 +2148,11 @@ class BoxesTouched : public IRGraphVisitor {
         void log_line(Args &&...args) {
             debug(0) << self->log_spaces();
             // C++17 right fold
-            (debug(0) << ... << args) << "\n";
+            auto dump = [](auto &&arg) {
+                debug(0) << arg;
+            };
+            (dump(args), ...);
+            debug(0) << "\n";
         }
 
         BoxesTouchedLogger(BoxesTouched *self, const char *pretty_function)

test/CMakeLists.txt

@@ -67,36 +67,7 @@ endif ()
 
 # FIXME: failing_with_issue is dead code :)
 
-# Ensure that basic sanitizer flags are supported;
-# - Address sanitizer is often used in conjunction with fuzzing as it will detect
-#   common high severity bugs. This sanitizer is used as a "default" for fuzzing
-#   when the sanitizer isn't otherwise specified.
-# - Fuzzer sanitizer will link against libfuzzer and is currently only supported
-#   on clang/msvc and isn't supported with GCC. If you need to use these fuzzers
-#   with a GCC based project you should consider looking into the LIB_FUZZING_ENGINE
-#   env variable defined in `test/fuzz/CMakeLists.txt`.
-set(CMAKE_REQUIRED_LINK_OPTIONS "-fsanitize=fuzzer,address")
-set(CMAKE_REQUIRED_FLAGS "-fsanitize=fuzzer-no-link,address")
-check_cxx_source_compiles([[
-#include <cstdint>
-#include <cstddef>
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, std::size_t Size) {
-  return 0;
-}
-]] HAS_FUZZ_FLAGS)
-
-if (NOT HAS_FUZZ_FLAGS)
-    message(VERBOSE "Compiler does not support libfuzzer sanitizer.")
-else ()
-    message(VERBOSE "Compiler supports libfuzzer sanitizer.")
-endif ()
-
-# Note that we want to default WITH_TEST_FUZZ to OFF, even if HAS_FUZZ_FLAGS
-# is true: just because our compiler supports fuzzing doesn't mean we want to
-# build the fuzz tests, because they won't really build properly without the
-# right preset specified.
-Halide_feature(WITH_TEST_FUZZ "Build fuzz tests" AUTO
-               DEPENDS HAS_FUZZ_FLAGS)
+Halide_feature(WITH_TEST_FUZZ "Build fuzz tests" ON)
 if (WITH_TEST_FUZZ)
     add_subdirectory(fuzz)
 endif ()

test/fuzz/CMakeLists.txt

@@ -1,3 +1,10 @@
+if (NOT LIB_FUZZING_ENGINE)
+    set(LIB_FUZZING_ENGINE "$ENV{LIB_FUZZING_ENGINE}")
+endif ()
+
+set(LIB_FUZZING_ENGINE "${LIB_FUZZING_ENGINE}"
+    CACHE STRING "Extra link libraries arguments for fuzz tests.")
+
 tests(GROUPS fuzz
       SOURCES
       bounds.cpp
@@ -15,25 +22,31 @@ tests(GROUPS fuzz
       USE_EXIT_CODE_ONLY
 )
 
+# Check whether the configured toolchain can compile a libfuzzer test harness.
+# If this fails, the user likely needs to set up their environment to use a
+# compatible fuzzing engine (e.g. by setting up a toolchain file).
+check_cxx_source_compiles([[
+#include <cstdint>
+#include <cstddef>
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, std::size_t Size) {
+  return 0;
+}
+]] HAVE_LIBFUZZER_FLAGS)
 
-# By default we are going to use the libfuzzer engine. However if
-# LIB_FUZZING_ENGINE is declared you can override the fuzzing engine to one of;
-# - Centipede
-# - Hongfuzz
-# - AFL++
-# - etc.
-set(LIB_FUZZING_ENGINE "$ENV{LIB_FUZZING_ENGINE}"
-    CACHE STRING "Compiler flags necessary to link the fuzzing engine of choice e.g. libfuzzer, afl etc.")
+add_library(Halide_fuzz INTERFACE)
+add_library(Halide::fuzz ALIAS Halide_fuzz)
 
-foreach(fuzzer "fuzz_bounds" "fuzz_cse")
-  target_link_libraries(${fuzzer} PRIVATE Halide::Halide)
+if (NOT HAVE_LIBFUZZER_FLAGS)
+    if (LIB_FUZZING_ENGINE)
+        message(FATAL_ERROR "Cannot set LIB_FUZZING_ENGINE when not building with -fsanitize=fuzzer or a compatible fuzzing engine.")
+    endif ()
+    target_sources(Halide_fuzz INTERFACE halide_fuzz_main.cpp halide_fuzz_main.h)
+    target_compile_definitions(Halide_fuzz INTERFACE HALIDE_FUZZER_BACKEND=HALIDE_FUZZER_BACKEND_STDLIB)
+else ()
+    target_link_libraries(Halide_fuzz INTERFACE ${LIB_FUZZING_ENGINE})
+    target_compile_definitions(Halide_fuzz INTERFACE HALIDE_FUZZER_BACKEND=HALIDE_FUZZER_BACKEND_LIBFUZZER)
+endif ()
 
-  # Allow OSS-fuzz to manage flags directly
-  if (LIB_FUZZING_ENGINE)
-    target_link_libraries(${fuzzer} PRIVATE "${LIB_FUZZING_ENGINE}")
-  else ()
-    # By default just build with address-sanitizers/libfuzzer for local testing
-    target_compile_options(${fuzzer} PRIVATE -fsanitize=fuzzer-no-link)
-    target_link_options(${fuzzer} PRIVATE -fsanitize=fuzzer)
-  endif ()
-endforeach()
+foreach (fuzzer IN LISTS TEST_NAMES)
+    target_link_libraries("${fuzzer}" PRIVATE Halide::fuzz)
+endforeach ()