Add Redis source code for testing

1 files changed, 406 insertions, 0 deletions

diff --git a/examples/redis-unstable/modules/vector-sets/fastjson_test.c b/examples/redis-unstable/modules/vector-sets/fastjson_test.c
new file mode 100644
index 0000000..1ea76a9
--- /dev/null
+++ b/examples/redis-unstable/modules/vector-sets/fastjson_test.c
@@ -0,0 +1,406 @@
+/* fastjson_test.c - Stress test for fastjson.c
+ *
+ * This performs boundary and corruption tests to ensure
+ * the JSON parser handles edge cases without accessing
+ * memory outside the bounds of the input.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <signal.h>
+#include <time.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <setjmp.h>
+
+/* Page size constant - typically 4096 or 16k bytes (Apple Silicon).
+ * We use 16k so that it will work on both, but not with Linux huge pages. */
+#define PAGE_SIZE 4096*4
+#define MAX_JSON_SIZE (PAGE_SIZE - 128)  /* Keep some margin */
+#define MAX_FIELD_SIZE 64
+#define NUM_TEST_ITERATIONS 100000
+#define NUM_CORRUPTION_TESTS 10000
+#define NUM_BOUNDARY_TESTS 10000
+
+/* Test state tracking */
+static char *safe_page = NULL;       /* Start of readable/writable page */
+static char *unsafe_page = NULL;     /* Start of inaccessible guard page */
+static int boundary_violation = 0;   /* Flag for boundary violations */
+static jmp_buf jmpbuf;               /* For signal handling */
+static int tests_passed = 0;
+static int tests_failed = 0;
+static int corruptions_passed = 0;
+static int boundary_tests_passed = 0;
+
+/* Test metadata for tracking */
+typedef struct {
+    char *json;
+    size_t json_len;
+    char field[MAX_FIELD_SIZE];
+    size_t field_len;
+    int expected_result;
+} test_case_t;
+
+/* Forward declarations for test JSON generation */
+char *generate_random_json(size_t *len, char *field, size_t *field_len, int *has_field);
+void corrupt_json(char *json, size_t len);
+void setup_test_memory(void);
+void cleanup_test_memory(void);
+void run_normal_tests(void);
+void run_corruption_tests(void);
+void run_boundary_tests(void);
+void print_test_summary(void);
+
+/* Signal handler for segmentation violations */
+static void sigsegv_handler(int sig) {
+    boundary_violation = 1;
+    printf("Boundary violation detected! Caught signal %d\n", sig);
+    longjmp(jmpbuf, 1);
+}
+
+/* Wrapper for jsonExtractField to check for boundary violations */
+exprtoken *safe_extract_field(const char *json, size_t json_len,
+                             const char *field, size_t field_len) {
+    boundary_violation = 0;
+
+    if (setjmp(jmpbuf) == 0) {
+        return jsonExtractField(json, json_len, field, field_len);
+    } else {
+        return NULL; /* Return NULL if boundary violation occurred */
+    }
+}
+
+/* Setup two adjacent memory pages - one readable/writable, one inaccessible */
+void setup_test_memory(void) {
+    /* Request a page of memory, with specific alignment. We rely on the
+     * fact that hopefully the page after that will cause a segfault if
+     * accessed. */
+    void *region = mmap(NULL, PAGE_SIZE,
+                       PROT_READ | PROT_WRITE,
+                       MAP_PRIVATE | MAP_ANONYMOUS,
+                       -1, 0);
+
+    if (region == MAP_FAILED) {
+        perror("mmap failed");
+        exit(EXIT_FAILURE);
+    }
+
+    safe_page = (char*)region;
+    unsafe_page = safe_page + PAGE_SIZE;
+    // Uncomment to make sure it crashes :D
+    // printf("%d\n", unsafe_page[5]);
+
+    /* Set up signal handlers for memory access violations */
+    struct sigaction sa;
+    sa.sa_handler = sigsegv_handler;
+    sigemptyset(&sa.sa_mask);
+    sa.sa_flags = 0;
+
+    sigaction(SIGSEGV, &sa, NULL);
+    sigaction(SIGBUS, &sa, NULL);
+}
+
+void cleanup_test_memory(void) {
+    if (safe_page != NULL) {
+        munmap(safe_page, PAGE_SIZE);
+        safe_page = NULL;
+        unsafe_page = NULL;
+    }
+}
+
+/* Generate random strings with proper escaping for JSON */
+void generate_random_string(char *buffer, size_t max_len) {
+    static const char charset[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+    size_t len = 1 + rand() % (max_len - 2); /* Ensure at least 1 char */
+
+    for (size_t i = 0; i < len; i++) {
+        buffer[i] = charset[rand() % (sizeof(charset) - 1)];
+    }
+    buffer[len] = '\0';
+}
+
+/* Generate random numbers as strings */
+void generate_random_number(char *buffer, size_t max_len) {
+    double num = (double)rand() / RAND_MAX * 1000.0;
+
+    /* Occasionally make it negative or add decimal places */
+    if (rand() % 5 == 0) num = -num;
+    if (rand() % 3 != 0) num += (double)(rand() % 100) / 100.0;
+
+    snprintf(buffer, max_len, "%.6g", num);
+}
+
+/* Generate a random field name */
+void generate_random_field(char *field, size_t *field_len) {
+    generate_random_string(field, MAX_FIELD_SIZE / 2);
+    *field_len = strlen(field);
+}
+
+/* Generate a random JSON object with fields */
+char *generate_random_json(size_t *len, char *field, size_t *field_len, int *has_field) {
+    char *json = malloc(MAX_JSON_SIZE);
+    if (json == NULL) {
+        perror("malloc");
+        exit(EXIT_FAILURE);
+    }
+
+    char buffer[MAX_JSON_SIZE / 4]; /* Buffer for generating values */
+    int pos = 0;
+    int num_fields = 1 + rand() % 10; /* Random number of fields */
+    int target_field_index = rand() % num_fields; /* Which field to return */
+
+    /* Start the JSON object */
+    pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "{");
+
+    /* Generate random field/value pairs */
+    for (int i = 0; i < num_fields; i++) {
+        /* Add a comma if not the first field */
+        if (i > 0) {
+            pos += snprintf(json + pos, MAX_JSON_SIZE - pos, ", ");
+        }
+
+        /* Generate a field name */
+        if (i == target_field_index) {
+            /* This is our target field - save it for the caller */
+            generate_random_field(field, field_len);
+            pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "\"%s\": ", field);
+            *has_field = 1;
+            /* Sometimes change the last char so that it will not match. */
+            if (rand() % 2) {
+                *has_field = 0;
+                field[*field_len-1] = '!';
+            }
+        } else {
+            generate_random_string(buffer, MAX_FIELD_SIZE / 4);
+            pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "\"%s\": ", buffer);
+        }
+
+        /* Generate a random value type */
+        int value_type = rand() % 5;
+        switch (value_type) {
+            case 0: /* String */
+                generate_random_string(buffer, MAX_JSON_SIZE / 8);
+                pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "\"%s\"", buffer);
+                break;
+
+            case 1: /* Number */
+                generate_random_number(buffer, MAX_JSON_SIZE / 8);
+                pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "%s", buffer);
+                break;
+
+            case 2: /* Boolean: true */
+                pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "true");
+                break;
+
+            case 3: /* Boolean: false */
+                pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "false");
+                break;
+
+            case 4: /* Null */
+                pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "null");
+                break;
+
+            case 5: /* Array (simple) */
+                pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "[");
+                int array_items = 1 + rand() % 5;
+                for (int j = 0; j < array_items; j++) {
+                    if (j > 0) pos += snprintf(json + pos, MAX_JSON_SIZE - pos, ", ");
+
+                    /* Array items - either number or string */
+                    if (rand() % 2) {
+                        generate_random_number(buffer, MAX_JSON_SIZE / 16);
+                        pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "%s", buffer);
+                    } else {
+                        generate_random_string(buffer, MAX_JSON_SIZE / 16);
+                        pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "\"%s\"", buffer);
+                    }
+                }
+                pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "]");
+                break;
+        }
+    }
+
+    /* Close the JSON object */
+    pos += snprintf(json + pos, MAX_JSON_SIZE - pos, "}");
+    *len = pos;
+
+    return json;
+}
+
+/* Corrupt JSON by replacing random characters */
+void corrupt_json(char *json, size_t len) {
+    if (len < 2) return;  /* Too short to corrupt safely */
+
+    /* Corrupt 1-3 characters */
+    int num_corruptions = 1 + rand() % 3;
+    for (int i = 0; i < num_corruptions; i++) {
+        size_t pos = rand() % len;
+        char corruption = " \t\n{}[]\":,0123456789abcdefXYZ"[rand() % 30];
+        json[pos] = corruption;
+    }
+}
+
+/* Run standard parser tests with generated valid JSON */
+void run_normal_tests(void) {
+    printf("Running normal JSON extraction tests...\n");
+
+    for (int i = 0; i < NUM_TEST_ITERATIONS; i++) {
+        char field[MAX_FIELD_SIZE] = {0};
+        size_t field_len = 0;
+        size_t json_len = 0;
+        int has_field = 0;
+
+        /* Generate random JSON */
+        char *json = generate_random_json(&json_len, field, &field_len, &has_field);
+
+        /* Use valid field to test parser */
+        exprtoken *token = safe_extract_field(json, json_len, field, field_len);
+
+        /* Check if we got a token as expected */
+        if (has_field && token != NULL) {
+            exprTokenRelease(token);
+            tests_passed++;
+        } else if (!has_field && token == NULL) {
+            tests_passed++;
+        } else {
+            tests_failed++;
+        }
+
+        /* Test with a non-existent field */
+        char nonexistent_field[MAX_FIELD_SIZE] = "nonexistent_field";
+        token = safe_extract_field(json, json_len, nonexistent_field, strlen(nonexistent_field));
+
+        if (token == NULL) {
+            tests_passed++;
+        } else {
+            exprTokenRelease(token);
+            tests_failed++;
+        }
+
+        free(json);
+    }
+}
+
+/* Run tests with corrupted JSON */
+void run_corruption_tests(void) {
+    printf("Running JSON corruption tests...\n");
+
+    for (int i = 0; i < NUM_CORRUPTION_TESTS; i++) {
+        char field[MAX_FIELD_SIZE] = {0};
+        size_t field_len = 0;
+        size_t json_len = 0;
+        int has_field = 0;
+
+        /* Generate random JSON */
+        char *json = generate_random_json(&json_len, field, &field_len, &has_field);
+
+        /* Make a copy and corrupt it */
+        char *corrupted = malloc(json_len + 1);
+        if (!corrupted) {
+            perror("malloc");
+            free(json);
+            exit(EXIT_FAILURE);
+        }
+
+        memcpy(corrupted, json, json_len + 1);
+        corrupt_json(corrupted, json_len);
+
+        /* Test with corrupted JSON */
+        exprtoken *token = safe_extract_field(corrupted, json_len, field, field_len);
+
+        /* We're just testing that it doesn't crash or access invalid memory */
+        if (boundary_violation) {
+            printf("Boundary violation with corrupted JSON!\n");
+            tests_failed++;
+        } else {
+            if (token != NULL) {
+                exprTokenRelease(token);
+            }
+            corruptions_passed++;
+        }
+
+        free(corrupted);
+        free(json);
+    }
+}
+
+/* Run tests at memory boundaries */
+void run_boundary_tests(void) {
+    printf("Running memory boundary tests...\n");
+
+    for (int i = 0; i < NUM_BOUNDARY_TESTS; i++) {
+        char field[MAX_FIELD_SIZE] = {0};
+        size_t field_len = 0;
+        size_t json_len = 0;
+        int has_field = 0;
+
+        /* Generate random JSON */
+        char *temp_json = generate_random_json(&json_len, field, &field_len, &has_field);
+
+        /* Truncate the JSON to a random length */
+        size_t truncated_len = 1 + rand() % json_len;
+
+        /* Place at the edge of the safe page */
+        size_t offset = PAGE_SIZE - truncated_len;
+        memcpy(safe_page + offset, temp_json, truncated_len);
+
+        /* Test parsing with non-existent field (forcing it to scan to end) */
+        char nonexistent_field[MAX_FIELD_SIZE] = "nonexistent_field";
+        exprtoken *token = safe_extract_field(safe_page + offset, truncated_len,
+                                             nonexistent_field, strlen(nonexistent_field));
+
+        /* We're just testing that it doesn't access memory beyond the boundary */
+        if (boundary_violation) {
+            printf("Boundary violation at edge of memory page!\n");
+            tests_failed++;
+        } else {
+            if (token != NULL) {
+                exprTokenRelease(token);
+            }
+            boundary_tests_passed++;
+        }
+
+        free(temp_json);
+    }
+}
+
+/* Print summary of test results */
+void print_test_summary(void) {
+    printf("\n===== FASTJSON PARSER TEST SUMMARY =====\n");
+    printf("Normal tests passed: %d/%d\n", tests_passed, NUM_TEST_ITERATIONS * 2);
+    printf("Corruption tests passed: %d/%d\n", corruptions_passed, NUM_CORRUPTION_TESTS);
+    printf("Boundary tests passed: %d/%d\n", boundary_tests_passed, NUM_BOUNDARY_TESTS);
+    printf("Failed tests: %d\n", tests_failed);
+
+    if (tests_failed == 0) {
+        printf("\nALL TESTS PASSED! The JSON parser appears to be robust.\n");
+    } else {
+        printf("\nSome tests FAILED. The JSON parser may be vulnerable.\n");
+    }
+}
+
+/* Entry point for fastjson parser test */
+void run_fastjson_test(void) {
+    printf("Starting fastjson parser stress test...\n");
+
+    /* Seed the random number generator */
+    srand(time(NULL));
+
+    /* Setup test memory environment */
+    setup_test_memory();
+
+    /* Run the various test phases */
+    run_normal_tests();
+    run_corruption_tests();
+    run_boundary_tests();
+
+    /* Print summary */
+    print_test_summary();
+
+    /* Cleanup */
+    cleanup_test_memory();
+}