Skip to content

Add fuzzing for calendar arithmetic code #7206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 4, 2025
Merged

Add fuzzing for calendar arithmetic code #7206

merged 4 commits into from
Nov 4, 2025

Conversation

@Manishearth
Copy link
Member

@Manishearth Manishearth commented Oct 31, 2025

This also updates the constructor fuzzer with the latest code. I guess it doesn't get CI'd.

I split out the "construct a date" code into common.rs so it can be reused.

These fuzzers appear to be running smoothly. I had to cap day values for the add fuzzer within Temporal range, though I think in the long run ICU4X should be throwing out of range errors for sufficiently large duration values.

@Manishearth Manishearth requested a review from sffc as a code owner October 31, 2025 17:53
@Manishearth Manishearth changed the title Add fuzzing for ICU4X calendar code Add fuzzing for calendar arithmetic code Oct 31, 2025
@Manishearth
Copy link
Member Author

Manishearth commented Oct 31, 2025
edited
Loading

add fails (twice)

thread '<unnamed>' (2739167) panicked at /home/manishearth/dev/icu4x/components/calendar/src/duration.rs:244:21:
0 + DateDuration { is_negative: false, years: 4294901760, months: 256, weeks: 0, days: 0 } out of year range
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==2739167== ERROR: libFuzzer: deadly signal

Failing input:

	fuzz/artifacts/add/crash-dc307a0329c2b1ed8f4ac344f7cedb7b04e90ce5

Output of `std::fmt::Debug`:

	FuzzInput {
	    ymd: Ymd {
	        year: 0,
	        month: 0,
	        day: 0,
	        month_interpretation: Ordinal,
	    },
	    duration: DateDuration {
	        is_negative: false,
	        years: 4294901760,
	        months: 256,
	        weeks: 0,
	        days: 0,
	    },
	    overflow_constrain: false,
	    cal: Dangi,
	}

Reproduce with:

	cargo fuzz run add fuzz/artifacts/add/crash-dc307a0329c2b1ed8f4ac344f7cedb7b04e90ce5

Minimize test case with:

	cargo fuzz tmin add fuzz/artifacts/add/crash-dc307a0329c2b1ed8f4ac344f7cedb7b04e90ce5


────────────────────────────────────────────────────────────────────────────────

Failing input:

	fuzz/artifacts/add/slow-unit-430c4ed1b80e79f55b6c7e9bbaf97ffebd93d326

Output of `std::fmt::Debug`:

	FuzzInput {
	    ymd: Ymd {
	        year: 0,
	        month: 0,
	        day: 0,
	        month_interpretation: Ordinal,
	    },
	    duration: DateDuration {
	        is_negative: false,
	        years: 0,
	        months: 1281,
	        weeks: 0,
	        days: 8589934592,
	    },
	    overflow_constrain: false,
	    cal: Dangi,
	}

Reproduce with:

	cargo fuzz run add fuzz/artifacts/add/slow-unit-430c4ed1b80e79f55b6c7e9bbaf97ffebd93d326

Minimize test case with:

	cargo fuzz tmin add fuzz/artifacts/add/slow-unit-430c4ed1b80e79f55b6c7e9bbaf97ffebd93d326

@Manishearth
Copy link
Member Author

Manishearth commented Oct 31, 2025
edited
Loading 

Temporal.PlainDate.from({year:0, month: 1, day: 1, calendar: "dangi"}, {overflow: "constrain"}).add({years: 4294901760, months: 256})

crashes v8

Temporal.PlainDate.from({year:0, month: 1, day: 1, calendar: "dangi"}, {overflow: "constrain"}).add({months: 1281, days: 8589934592})

takes forever to run but eventually fails without crashing

This was referenced Oct 31, 2025
Open
Open
Merged
@Manishearth
Copy link
Member Author

Manishearth commented Oct 31, 2025

I've done the same thing I did in my original PR: constrained the fuzzer appropriately to match our client usage (which I'm changing in boa-dev/temporal#615).

As we start to fix these issues we can relax the fuzzer. This keeps the fuzzer useful: I am able to fuzz what is (or will be) deployed in client use cases, while we can always locally tweak it as our confidence range expands.

jedel1043 pushed a commit to boa-dev/temporal that referenced this pull request Nov 1, 2025
@Manishearth
Constrain durations into a range that will produce valid Temporal dat…
c7795ef 
…es before passing to ICU4X (#615)

We have some panics we should be avoiding here

unicode-org/icu4x#7206
@sffc sffc mentioned this pull request Nov 4, 2025
Open
@Manishearth Manishearth merged commit 1f64f76 into unicode-org:main Nov 4, 2025
30 checks passed
@Manishearth Manishearth deleted the more-fuzz branch November 4, 2025 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sffc sffc sffc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Manishearth @sffc