Can not fuzz example minimal topic

[zouyonghao]

I try to fuzz the example minimal_topic with following steps

1. ros2_fuzzer

root@465732971adb:/opt/ros_ws# ros2_fuzzer 
? What do you want to fuzz?  [['minimal_topic', {'headers_file': 'std_msgs/msg/string.hpp', 'source': 'src/publisher_subscriber_exa
      i     | minimal_topic: created fuzzer for the topic
      i     | └── src/publisher_subscriber_example/src/publisher_member_function_generated.cpp
      i     | Fuzzer(s) generated successfully
     [!]    | Please link the fuzzers to their CMakeLists.txt files,
     [!]    | recompile the projects with instrumentalization and start the fuzzers.

2. modify CMakeList.txt

add_executable(generated_fuzzer src/publisher_member_function_generated.cpp)
ament_target_dependencies(generated_fuzzer rclcpp tutorial_interfaces)

install(TARGETS
talker
listener
generated_fuzzer
DESTINATION lib/${PROJECT_NAME})

3. colcon build

root@465732971adb:/opt/ros_ws# colcon build
Starting >>> tutorial_interfaces
Starting >>> publisher_subscriber_example
Finished <<< tutorial_interfaces [0.39s]                                                                                 
Starting >>> client_service_example
Finished <<< client_service_example [0.14s]                                                                              
--- stderr: publisher_subscriber_example                             
afl-cc 2.57b by <[email protected]>
/opt/ros_ws/src/publisher_subscriber_example/src/publisher_member_function_generated.cpp: In member function ‘void FuzzerPublisher::timer_callback()’:
/opt/ros_ws/src/publisher_subscriber_example/src/publisher_member_function_generated.cpp:220:23: error: too few arguments to function ‘bool getString(std::string&, uint8_t)’
  220 |     if (!getString(_v0)) return;
      |                       ^
/opt/ros_ws/src/publisher_subscriber_example/src/publisher_member_function_generated.cpp:160:6: note: declared here
  160 | bool getString(std::string& s, uint8_t size)
      |      ^~~~~~~~~
/opt/ros_ws/src/publisher_subscriber_example/src/publisher_member_function_generated.cpp:221:5: error: ‘request’ was not declared in this scope
  221 |     request->data = _v0;
      |     ^~~~~~~
/opt/ros_ws/src/publisher_subscriber_example/src/publisher_member_function_generated.cpp:224:7: error: ‘howMuch’ was not declared in this scope
  224 |   if (howMuch == 0) {
      |       ^~~~~~~
/opt/ros_ws/src/publisher_subscriber_example/src/publisher_member_function_generated.cpp: In function ‘void __injector_init()’:
/opt/ros_ws/src/publisher_subscriber_example/src/publisher_member_function_generated.cpp:295:19: warning: ISO C++ forbids converting a string constant to ‘char*’ [-Wwrite-strings]
  295 |   char* argv[] = {"./my_fuzz_target", NULL};
      |                   ^~~~~~~~~~~~~~~~~~
make[2]: *** [CMakeFiles/generated_fuzzer.dir/build.make:63: CMakeFiles/generated_fuzzer.dir/src/publisher_member_function_generated.cpp.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:82: CMakeFiles/generated_fuzzer.dir/all] Error 2
make: *** [Makefile:141: all] Error 2
---
Failed   <<< publisher_subscriber_example [2.04s, exited with code 2]

Summary: 2 packages finished [2.21s]
  1 package failed: publisher_subscriber_example
  1 package had stderr output: publisher_subscriber_example

[JnxF]

Thanks @zouyonghao for pointing out this problem.

I unfortunately don't have time right now, but it requires modifiying this function [1] to account for the special case of strings, which requires an extra parameter controlling how long the generated string is. A pull request would be appreciated adding a fresh variable before with getInt8 (and modulo 100, for instance) in the special case of strings.

[1]

ros2_fuzz/ros2_automatic_fuzzer/ros2_fuzzer/fuzzing_utils/fuzzing_descriptor.py

Line 70 in a01394f

+ f"if (!get{field.type.type_name.capitalize()}({fresh})) return;\n"