Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(56)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: tools/ipc_fuzzer/mutate/fuzzer.cc

Issue 1000373004: Combine traits for IPC mutation and generation fuzzing plus other refactoring. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Minor cleanup (if to else if) Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« tools/ipc_fuzzer/mutate/fuzzer.h ('K') | « tools/ipc_fuzzer/mutate/fuzzer.h ('k') | tools/ipc_fuzzer/mutate/generate.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <iostream>
6 #include <set>
7 #include <string>
8 #include <utility>
9 #include <vector>
10
11 #include "base/strings/string_util.h"
12 #include "ipc/ipc_message.h"
13 #include "ipc/ipc_message_utils.h"
14 #include "ipc/ipc_switches.h"
15 #include "ipc/ipc_sync_channel.h"
16 #include "ipc/ipc_sync_message.h"
17 #include "tools/ipc_fuzzer/message_lib/message_cracker.h"
18 #include "tools/ipc_fuzzer/message_lib/message_file.h"
19 #include "tools/ipc_fuzzer/mutate/fuzzer.h"
20 #include "tools/ipc_fuzzer/mutate/rand_util.h"
21
22 #if defined(OS_POSIX)
23 #include <unistd.h>
24 #endif
25
26 // First include of all message files to provide basic types.
27 #include "tools/ipc_fuzzer/message_lib/all_messages.h"
28 #include "ipc/ipc_message_null_macros.h"
29
30 #if defined(COMPILER_GCC)
31 #define PRETTY_FUNCTION __PRETTY_FUNCTION__
32 #elif defined(COMPILER_MSVC)
33 #define PRETTY_FUNCTION __FUNCSIG__
34 #else
35 #define PRETTY_FUNCTION __FUNCTION__
36 #endif
37
38 namespace IPC {
39 class Message;
40 } // namespace IPC
41
42 namespace {
43 // For breaking deep recursion.
44 int g_depth = 0;
45 } // namespace
46
47 namespace ipc_fuzzer {
48
49 FuzzerFunctionVector g_function_vector;
50
51 bool Fuzzer::ShouldGenerate() {
52 return false;
53 }
54
55 // Partially-specialized class that knows how to handle a given type.
56 template <class P>
57 struct FuzzTraits {
58 static bool Fuzz(P* p, Fuzzer *fuzzer) {
59 // This is the catch-all for types we don't have enough information
60 // to generate.
61 std::cerr << "Can't handle " << PRETTY_FUNCTION << "\n";
62 return false;
63 }
64 };
65
66 // Template function to invoke partially-specialized class method.
67 template <class P>
68 static bool FuzzParam(P* p, Fuzzer* fuzzer) {
69 return FuzzTraits<P>::Fuzz(p, fuzzer);
70 }
71
72 template <class P>
73 static bool FuzzParamArray(P* p, size_t length, Fuzzer* fuzzer) {
74 for (size_t i = 0; i < length; i++, p++) {
75 if (!FuzzTraits<P>::Fuzz(p, fuzzer))
76 return false;
77 }
78 return true;
79 }
80
81 // Specializations to generate primitive types.
82 template <>
83 struct FuzzTraits<bool> {
84 static bool Fuzz(bool* p, Fuzzer* fuzzer) {
85 fuzzer->FuzzBool(p);
86 return true;
87 }
88 };
89
90 template <>
91 struct FuzzTraits<int> {
92 static bool Fuzz(int* p, Fuzzer* fuzzer) {
93 fuzzer->FuzzInt(p);
94 return true;
95 }
96 };
97
98 template <>
99 struct FuzzTraits<unsigned int> {
100 static bool Fuzz(unsigned int* p, Fuzzer* fuzzer) {
101 fuzzer->FuzzInt(reinterpret_cast<int*>(p));
102 return true;
103 }
104 };
105
106 template <>
107 struct FuzzTraits<long> {
108 static bool Fuzz(long* p, Fuzzer* fuzzer) {
109 fuzzer->FuzzLong(p);
110 return true;
111 }
112 };
113
114 template <>
115 struct FuzzTraits<unsigned long> {
116 static bool Fuzz(unsigned long* p, Fuzzer* fuzzer) {
117 fuzzer->FuzzLong(reinterpret_cast<long*>(p));
118 return true;
119 }
120 };
121
122 template <>
123 struct FuzzTraits<long long> {
124 static bool Fuzz(long long* p, Fuzzer* fuzzer) {
125 fuzzer->FuzzInt64(reinterpret_cast<int64*>(p));
126 return true;
127 }
128 };
129
130 template <>
131 struct FuzzTraits<unsigned long long> {
132 static bool Fuzz(unsigned long long* p, Fuzzer* fuzzer) {
133 fuzzer->FuzzInt64(reinterpret_cast<int64*>(p));
134 return true;
135 }
136 };
137
138 template <>
139 struct FuzzTraits<short> {
140 static bool Fuzz(short* p, Fuzzer* fuzzer) {
141 fuzzer->FuzzUInt16(reinterpret_cast<uint16*>(p));
142 return true;
143 }
144 };
145
146 template <>
147 struct FuzzTraits<unsigned short> {
148 static bool Fuzz(unsigned short* p, Fuzzer* fuzzer) {
149 fuzzer->FuzzUInt16(reinterpret_cast<uint16*>(p));
150 return true;
151 }
152 };
153
154 template <>
155 struct FuzzTraits<char> {
156 static bool Fuzz(char* p, Fuzzer* fuzzer) {
157 fuzzer->FuzzUChar(reinterpret_cast<unsigned char*>(p));
158 return true;
159 }
160 };
161
162 template <>
163 struct FuzzTraits<unsigned char> {
164 static bool Fuzz(unsigned char* p, Fuzzer* fuzzer) {
165 fuzzer->FuzzUChar(p);
166 return true;
167 }
168 };
169
170 template <>
171 struct FuzzTraits<wchar_t> {
172 static bool Fuzz(wchar_t* p, Fuzzer* fuzzer) {
173 fuzzer->FuzzWChar(p);
174 return true;
175 }
176 };
177
178 template <>
179 struct FuzzTraits<float> {
180 static bool Fuzz(float* p, Fuzzer* fuzzer) {
181 fuzzer->FuzzFloat(p);
182 return true;
183 }
184 };
185
186 template <>
187 struct FuzzTraits<double> {
188 static bool Fuzz(double* p, Fuzzer* fuzzer) {
189 fuzzer->FuzzDouble(p);
190 return true;
191 }
192 };
193
194 template <>
195 struct FuzzTraits<std::string> {
196 static bool Fuzz(std::string* p, Fuzzer* fuzzer) {
197 fuzzer->FuzzString(p);
198 return true;
199 }
200 };
201
202 template <>
203 struct FuzzTraits<base::string16> {
204 static bool Fuzz(base::string16* p, Fuzzer* fuzzer) {
205 fuzzer->FuzzString16(p);
206 return true;
207 }
208 };
209
210 // Specializations for tuples.
211 template <>
212 struct FuzzTraits<Tuple<>> {
213 static bool Fuzz(Tuple<>* p, Fuzzer* fuzzer) {
214 return true;
215 }
216 };
217
218 template <class A>
219 struct FuzzTraits<Tuple<A>> {
220 static bool Fuzz(Tuple<A>* p, Fuzzer* fuzzer) {
221 return FuzzParam(&get<0>(*p), fuzzer);
222 }
223 };
224
225 template <class A, class B>
226 struct FuzzTraits<Tuple<A, B>> {
227 static bool Fuzz(Tuple<A, B>* p, Fuzzer* fuzzer) {
228 return
229 FuzzParam(&get<0>(*p), fuzzer) &&
230 FuzzParam(&get<1>(*p), fuzzer);
231 }
232 };
233
234 template <class A, class B, class C>
235 struct FuzzTraits<Tuple<A, B, C>> {
236 static bool Fuzz(Tuple<A, B, C>* p, Fuzzer* fuzzer) {
237 return
238 FuzzParam(&get<0>(*p), fuzzer) &&
239 FuzzParam(&get<1>(*p), fuzzer) &&
240 FuzzParam(&get<2>(*p), fuzzer);
241 }
242 };
243
244 template <class A, class B, class C, class D>
245 struct FuzzTraits<Tuple<A, B, C, D>> {
246 static bool Fuzz(Tuple<A, B, C, D>* p, Fuzzer* fuzzer) {
247 return
248 FuzzParam(&get<0>(*p), fuzzer) &&
249 FuzzParam(&get<1>(*p), fuzzer) &&
250 FuzzParam(&get<2>(*p), fuzzer) &&
251 FuzzParam(&get<3>(*p), fuzzer);
252 }
253 };
254
255 template <class A, class B, class C, class D, class E>
256 struct FuzzTraits<Tuple<A, B, C, D, E>> {
257 static bool Fuzz(Tuple<A, B, C, D, E>* p, Fuzzer* fuzzer) {
258 return
259 FuzzParam(&get<0>(*p), fuzzer) &&
260 FuzzParam(&get<1>(*p), fuzzer) &&
261 FuzzParam(&get<2>(*p), fuzzer) &&
262 FuzzParam(&get<3>(*p), fuzzer) &&
263 FuzzParam(&get<4>(*p), fuzzer);
264 }
265 };
266
267 // Specializations for containers.
268 template <class A>
269 struct FuzzTraits<std::vector<A> > {
270 static bool Fuzz(std::vector<A>* p, Fuzzer* fuzzer) {
271 ++g_depth;
272 size_t count = p->size();
273 if (fuzzer->ShouldGenerate()) {
274 count = g_depth > 3 ? 0 : RandElementCount();
275 p->resize(count);
276 }
277 for (size_t i = 0; i < count; ++i) {
278 if (!FuzzParam(&p->at(i), fuzzer)) {
279 --g_depth;
280 return false;
281 }
282 }
283 --g_depth;
284 return true;
285 }
286 };
287
288 template <class A>
289 struct FuzzTraits<std::set<A> > {
290 static bool Fuzz(std::set<A>* p, Fuzzer* fuzzer) {
291 if (!fuzzer->ShouldGenerate()) {
292 std::set<A> result;
293 typename std::set<A>::iterator it;
294 for (it = p->begin(); it != p->end(); ++it) {
295 A item = *it;
296 if (!FuzzParam(&item, fuzzer))
297 return false;
298 result.insert(item);
299 }
300 *p = result;
301 return true;
302 }
303
304 static int g_depth = 0;
305 size_t count = ++g_depth > 3 ? 0 : RandElementCount();
306 A a;
307 for (size_t i = 0; i < count; ++i) {
308 if (!FuzzParam(&a, fuzzer)) {
309 --g_depth;
310 return false;
311 }
312 p->insert(a);
313 }
314 --g_depth;
315 return true;
316 }
317 };
318
319 template <class A, class B>
320 struct FuzzTraits<std::map<A, B> > {
321 static bool Fuzz(std::map<A, B>* p, Fuzzer* fuzzer) {
322 if (!fuzzer->ShouldGenerate()) {
323 typename std::map<A, B>::iterator it;
324 for (it = p->begin(); it != p->end(); ++it) {
325 if (!FuzzParam(&it->second, fuzzer))
326 return false;
327 }
328 return true;
329 }
330
331 static int g_depth = 0;
332 size_t count = ++g_depth > 3 ? 0 : RandElementCount();
333 std::pair<A, B> place_holder;
334 for (size_t i = 0; i < count; ++i) {
335 if (!FuzzParam(&place_holder, fuzzer)) {
336 --g_depth;
337 return false;
338 }
339 p->insert(place_holder);
340 }
341 --g_depth;
342 return true;
343 }
344 };
345
346 template <class A, class B, class C, class D>
347 struct FuzzTraits<std::map<A, B, C, D>> {
348 static bool Fuzz(std::map<A, B, C, D>* p, Fuzzer* fuzzer) {
349 if (!fuzzer->ShouldGenerate()) {
350 typename std::map<A, B, C, D>::iterator it;
351 for (it = p->begin(); it != p->end(); ++it) {
352 if (!FuzzParam(&it->second, fuzzer))
353 return false;
354 }
355 return true;
356 }
357
358 static int g_depth = 0;
359 size_t count = ++g_depth > 3 ? 0 : RandElementCount();
360 std::pair<A, B> place_holder;
361 for (size_t i = 0; i < count; ++i) {
362 if (!FuzzParam(&place_holder, fuzzer)) {
363 --g_depth;
364 return false;
365 }
366 p->insert(place_holder);
367 }
368 --g_depth;
369 return true;
370 }
371 };
372
373 template <class A, class B>
374 struct FuzzTraits<std::pair<A, B> > {
375 static bool Fuzz(std::pair<A, B>* p, Fuzzer* fuzzer) {
376 return
377 FuzzParam(&p->first, fuzzer) &&
378 FuzzParam(&p->second, fuzzer);
379 }
380 };
381
382 // Specializations for hand-coded types.
383
384 template <>
385 struct FuzzTraits<base::FilePath> {
386 static bool Fuzz(base::FilePath* p, Fuzzer* fuzzer) {
387 if (!fuzzer->ShouldGenerate()) {
388 base::FilePath::StringType path = p->value();
389 if(!FuzzParam(&path, fuzzer))
390 return false;
391 *p = base::FilePath(path);
392 return true;
393 }
394
395 const char path_chars[] = "ACz0/.~:";
396 size_t count = RandInRange(60);
397 base::FilePath::StringType random_path;
398 for (size_t i = 0; i < count; ++i)
399 random_path += path_chars[RandInRange(sizeof(path_chars) - 1)];
400 *p = base::FilePath(random_path);
401 return true;
402 }
403 };
404
405 template <>
406 struct FuzzTraits<base::File::Error> {
407 static bool Fuzz(base::File::Error* p, Fuzzer* fuzzer) {
408 int value = static_cast<int>(*p);
409 if (!FuzzParam(&value, fuzzer))
410 return false;
411 *p = static_cast<base::File::Error>(value);
412 return true;
413 }
414 };
415
416 template <>
417 struct FuzzTraits<base::File::Info> {
418 static bool Fuzz(base::File::Info* p, Fuzzer* fuzzer) {
419 double last_modified = p->last_modified.ToDoubleT();
420 double last_accessed = p->last_accessed.ToDoubleT();
421 double creation_time = p->creation_time.ToDoubleT();
422 if (!FuzzParam(&p->size, fuzzer))
423 return false;
424 if (!FuzzParam(&p->is_directory, fuzzer))
425 return false;
426 if (!FuzzParam(&last_modified, fuzzer))
427 return false;
428 if (!FuzzParam(&last_accessed, fuzzer))
429 return false;
430 if (!FuzzParam(&creation_time, fuzzer))
431 return false;
432 p->last_modified = base::Time::FromDoubleT(last_modified);
433 p->last_accessed = base::Time::FromDoubleT(last_accessed);
434 p->creation_time = base::Time::FromDoubleT(creation_time);
435 return true;
436 }
437 };
438
439 template <>
440 struct FuzzTraits<base::NullableString16> {
441 static bool Fuzz(base::NullableString16* p, Fuzzer* fuzzer) {
442 base::string16 string = p->string();
443 bool is_null = p->is_null();
444 if (!FuzzParam(&string, fuzzer))
445 return false;
446 if (!FuzzParam(&is_null, fuzzer))
447 return false;
448 *p = base::NullableString16(string, is_null);
449 return true;
450 }
451 };
452
453 template <>
454 struct FuzzTraits<base::Time> {
455 static bool Fuzz(base::Time* p, Fuzzer* fuzzer) {
456 int64 internal_value = p->ToInternalValue();
457 if (!FuzzParam(&internal_value, fuzzer))
458 return false;
459 *p = base::Time::FromInternalValue(internal_value);
460 return true;
461 }
462 };
463
464 template <>
465 struct FuzzTraits<base::TimeDelta> {
466 static bool Fuzz(base::TimeDelta* p, Fuzzer* fuzzer) {
467 int64 internal_value = p->ToInternalValue();
468 if (!FuzzParam(&internal_value, fuzzer))
469 return false;
470 *p = base::TimeDelta::FromInternalValue(internal_value);
471 return true;
472 }
473 };
474
475 template <>
476 struct FuzzTraits<base::TimeTicks> {
477 static bool Fuzz(base::TimeTicks* p, Fuzzer* fuzzer) {
478 int64 internal_value = p->ToInternalValue();
479 if (!FuzzParam(&internal_value, fuzzer))
480 return false;
481 *p = base::TimeTicks::FromInternalValue(internal_value);
482 return true;
483 }
484 };
485
486 template <>
487 struct FuzzTraits<base::ListValue> {
488 static bool Fuzz(base::ListValue* p, Fuzzer* fuzzer) {
489 // TODO(mbarbella): Support mutation.
490 if (!fuzzer->ShouldGenerate())
491 return true;
492
493 ++g_depth;
494 size_t list_length = p->GetSize();
495 if (fuzzer->ShouldGenerate())
496 list_length = g_depth > 3 ? 0 : RandInRange(8);
497 for (size_t index = 0; index < list_length; ++index) {
498 switch (RandInRange(8)) {
499 case base::Value::TYPE_BOOLEAN: {
500 bool tmp;
501 p->GetBoolean(index, &tmp);
502 fuzzer->FuzzBool(&tmp);
503 p->Set(index, new base::FundamentalValue(tmp));
504 break;
505 }
506 case base::Value::TYPE_INTEGER: {
507 int tmp;
508 p->GetInteger(index, &tmp);
509 fuzzer->FuzzInt(&tmp);
510 p->Set(index, new base::FundamentalValue(tmp));
511 break;
512 }
513 case base::Value::TYPE_DOUBLE: {
514 double tmp;
515 p->GetDouble(index, &tmp);
516 fuzzer->FuzzDouble(&tmp);
517 p->Set(index, new base::FundamentalValue(tmp));
518 break;
519 }
520 case base::Value::TYPE_STRING: {
521 std::string tmp;
522 p->GetString(index, &tmp);
523 fuzzer->FuzzString(&tmp);
524 p->Set(index, new base::StringValue(tmp));
525 break;
526 }
527 case base::Value::TYPE_BINARY: {
528 char tmp[200];
529 size_t bin_length = RandInRange(sizeof(tmp));
530 fuzzer->FuzzData(tmp, bin_length);
531 p->Set(index,
532 base::BinaryValue::CreateWithCopiedBuffer(tmp, bin_length));
533 break;
534 }
535 case base::Value::TYPE_DICTIONARY: {
536 base::DictionaryValue* tmp = new base::DictionaryValue();
537 p->GetDictionary(index, &tmp);
538 FuzzParam(tmp, fuzzer);
539 p->Set(index, tmp);
540 break;
541 }
542 case base::Value::TYPE_LIST: {
543 base::ListValue* tmp = new base::ListValue();
544 p->GetList(index, &tmp);
545 FuzzParam(tmp, fuzzer);
546 p->Set(index, tmp);
547 break;
548 }
549 case base::Value::TYPE_NULL:
550 default:
551 break;
552 }
553 }
554 --g_depth;
555 return true;
556 }
557 };
558
559 template <>
560 struct FuzzTraits<base::DictionaryValue> {
561 static bool Fuzz(base::DictionaryValue* p, Fuzzer* fuzzer) {
562 // TODO(mbarbella): Support mutation.
563 if (!fuzzer->ShouldGenerate())
564 return true;
565
566 ++g_depth;
567 size_t dict_length = g_depth > 3 ? 0 : RandInRange(8);
568 for (size_t index = 0; index < dict_length; ++index) {
569 std::string property;
570 fuzzer->FuzzString(&property);
571 switch (RandInRange(8)) {
572 case base::Value::TYPE_BOOLEAN: {
573 bool tmp;
574 fuzzer->FuzzBool(&tmp);
575 p->SetWithoutPathExpansion(property, new base::FundamentalValue(tmp));
576 break;
577 }
578 case base::Value::TYPE_INTEGER: {
579 int tmp;
580 fuzzer->FuzzInt(&tmp);
581 p->SetWithoutPathExpansion(property, new base::FundamentalValue(tmp));
582 break;
583 }
584 case base::Value::TYPE_DOUBLE: {
585 double tmp;
586 fuzzer->FuzzDouble(&tmp);
587 p->SetWithoutPathExpansion(property, new base::FundamentalValue(tmp));
588 break;
589 }
590 case base::Value::TYPE_STRING: {
591 std::string tmp;
592 fuzzer->FuzzString(&tmp);
593 p->SetWithoutPathExpansion(property, new base::StringValue(tmp));
594 break;
595 }
596 case base::Value::TYPE_BINARY: {
597 char tmp[200];
598 size_t bin_length = RandInRange(sizeof(tmp));
599 fuzzer->FuzzData(tmp, bin_length);
600 p->SetWithoutPathExpansion(
601 property,
602 base::BinaryValue::CreateWithCopiedBuffer(tmp, bin_length));
603 break;
604 }
605 case base::Value::TYPE_DICTIONARY: {
606 base::DictionaryValue* tmp = new base::DictionaryValue();
607 FuzzParam(tmp, fuzzer);
608 p->SetWithoutPathExpansion(property, tmp);
609 break;
610 }
611 case base::Value::TYPE_LIST: {
612 base::ListValue* tmp = new base::ListValue();
613 FuzzParam(tmp, fuzzer);
614 p->SetWithoutPathExpansion(property, tmp);
615 break;
616 }
617 case base::Value::TYPE_NULL:
618 default:
619 break;
620 }
621 }
622 --g_depth;
623 return true;
624 }
625 };
626
627 template <>
628 struct FuzzTraits<blink::WebGamepad> {
629 static bool Fuzz(blink::WebGamepad* p, Fuzzer* fuzzer) {
630 if (!FuzzParam(&p->connected, fuzzer))
631 return false;
632 if (!FuzzParam(&p->timestamp, fuzzer))
633 return false;
634 unsigned idLength = static_cast<unsigned>(
635 RandInRange(blink::WebGamepad::idLengthCap + 1));
636 if (!FuzzParamArray(&p->id[0], idLength, fuzzer))
637 return false;
638 p->axesLength = static_cast<unsigned>(
639 RandInRange(blink::WebGamepad::axesLengthCap + 1));
640 if (!FuzzParamArray(&p->axes[0], p->axesLength, fuzzer))
641 return false;
642 p->buttonsLength = static_cast<unsigned>(
643 RandInRange(blink::WebGamepad::buttonsLengthCap + 1));
644 if (!FuzzParamArray(&p->buttons[0], p->buttonsLength, fuzzer))
645 return false;
646 unsigned mappingsLength = static_cast<unsigned>(
647 RandInRange(blink::WebGamepad::mappingLengthCap + 1));
648 if (!FuzzParamArray(&p->mapping[0], mappingsLength, fuzzer))
649 return false;
650 return true;
651 }
652 };
653
654 template <>
655 struct FuzzTraits<blink::WebGamepadButton> {
656 static bool Fuzz(blink::WebGamepadButton* p, Fuzzer* fuzzer) {
657 if (!FuzzParam(&p->pressed, fuzzer))
658 return false;
659 if (!FuzzParam(&p->value, fuzzer))
660 return false;
661 return true;
662 }
663 };
664
665 template <>
666 struct FuzzTraits<cc::CompositorFrame> {
667 static bool Fuzz(cc::CompositorFrame* p, Fuzzer* fuzzer) {
668 // TODO(mbarbella): Support mutation.
669 if (!fuzzer->ShouldGenerate())
670 return true;
671
672 if (!FuzzParam(&p->metadata, fuzzer))
673 return false;
674
675 switch (RandInRange(4)) {
676 case 0: {
677 p->delegated_frame_data.reset(new cc::DelegatedFrameData());
678 if (!FuzzParam(p->delegated_frame_data.get(), fuzzer))
679 return false;
680 return true;
681 }
682 case 1: {
683 p->gl_frame_data.reset(new cc::GLFrameData());
684 if (!FuzzParam(p->gl_frame_data.get(), fuzzer))
685 return false;
686 return true;
687 }
688 case 2: {
689 p->software_frame_data.reset(new cc::SoftwareFrameData());
690 if (!FuzzParam(p->software_frame_data.get(), fuzzer))
691 return false;
692 return true;
693 }
694 default:
695 // Fuzz nothing to handle the no frame case.
696 return true;
697 }
698 }
699 };
700
701 template <>
702 struct FuzzTraits<cc::CompositorFrameAck> {
703 static bool Fuzz(cc::CompositorFrameAck* p, Fuzzer* fuzzer) {
704 if (!FuzzParam(&p->resources, fuzzer))
705 return false;
706 if (!FuzzParam(&p->last_software_frame_id, fuzzer))
707 return false;
708
709 if (!p->gl_frame_data)
710 p->gl_frame_data.reset(new cc::GLFrameData);
711 if (!FuzzParam(p->gl_frame_data.get(), fuzzer))
712 return false;
713 return true;
714 }
715 };
716
717 template <>
718 struct FuzzTraits<cc::DelegatedFrameData> {
719 static bool Fuzz(cc::DelegatedFrameData* p, Fuzzer* fuzzer) {
720 if (!FuzzParam(&p->device_scale_factor, fuzzer))
721 return false;
722 if (!FuzzParam(&p->resource_list, fuzzer))
723 return false;
724 if (!FuzzParam(&p->render_pass_list, fuzzer))
725 return false;
726 return true;
727 }
728 };
729
730 template <class A>
731 struct FuzzTraits<cc::ListContainer<A>> {
732 static bool Fuzz(cc::ListContainer<A>* p, Fuzzer* fuzzer) {
733 // TODO(mbarbella): This should actually do something.
734 return true;
735 }
736 };
737
738 template <>
739 struct FuzzTraits<cc::QuadList> {
740 static bool Fuzz(cc::QuadList* p, Fuzzer* fuzzer) {
741 // TODO(mbarbella): This should actually do something.
742 return true;
743 }
744 };
745
746 template <>
747 struct FuzzTraits<cc::RenderPass> {
748 static bool Fuzz(cc::RenderPass* p, Fuzzer* fuzzer) {
749 if (!FuzzParam(&p->id, fuzzer))
750 return false;
751 if (!FuzzParam(&p->output_rect, fuzzer))
752 return false;
753 if (!FuzzParam(&p->damage_rect, fuzzer))
754 return false;
755 if (!FuzzParam(&p->transform_to_root_target, fuzzer))
756 return false;
757 if (!FuzzParam(&p->has_transparent_background, fuzzer))
758 return false;
759 if (!FuzzParam(&p->quad_list, fuzzer))
760 return false;
761 if (!FuzzParam(&p->shared_quad_state_list, fuzzer))
762 return false;
763 // Omitting |copy_requests| as it is not sent over IPC.
764 return true;
765 }
766 };
767
768 template <>
769 struct FuzzTraits<cc::RenderPassList> {
770 static bool Fuzz(cc::RenderPassList* p, Fuzzer* fuzzer) {
771 if (!fuzzer->ShouldGenerate()) {
772 for (size_t i = 0; i < p->size(); ++i) {
773 if (!FuzzParam(p->at(i), fuzzer))
774 return false;
775 }
776 return true;
777 }
778
779 size_t count = RandElementCount();
780 for (size_t i = 0; i < count; ++i) {
781 scoped_ptr<cc::RenderPass> render_pass = cc::RenderPass::Create();
782 if (!FuzzParam(render_pass.get(), fuzzer))
783 return false;
784 p->push_back(render_pass.Pass());
785 }
786 return true;
787 }
788 };
789
790 template <>
791 struct FuzzTraits<cc::SoftwareFrameData> {
792 static bool Fuzz(cc::SoftwareFrameData* p, Fuzzer* fuzzer) {
793 if (!FuzzParam(&p->id, fuzzer))
794 return false;
795 if (!FuzzParam(&p->size, fuzzer))
796 return false;
797 if (!FuzzParam(&p->damage_rect, fuzzer))
798 return false;
799 if (!FuzzParam(&p->bitmap_id, fuzzer))
800 return false;
801 return true;
802 }
803 };
804
805 template <>
806 struct FuzzTraits<content::IndexedDBKey> {
807 static bool Fuzz(content::IndexedDBKey* p, Fuzzer* fuzzer) {
808 // TODO(mbarbella): Support mutation.
809 if (!fuzzer->ShouldGenerate())
810 return true;
811
812 ++g_depth;
813 blink::WebIDBKeyType web_type =
814 static_cast<blink::WebIDBKeyType>(RandInRange(7));
815 switch (web_type) {
816 case blink::WebIDBKeyTypeArray: {
817 size_t length = g_depth > 3 ? 0 : RandInRange(4);
818 std::vector<content::IndexedDBKey> array;
819 array.resize(length);
820 for (size_t i = 0; i < length; ++i) {
821 if (!FuzzParam(&array[i], fuzzer)) {
822 --g_depth;
823 return false;
824 }
825 }
826 *p = content::IndexedDBKey(array);
827 return true;
828 }
829 case blink::WebIDBKeyTypeBinary: {
830 std::string binary;
831 if (!FuzzParam(&binary, fuzzer)) {
832 --g_depth;
833 return false;
834 }
835 *p = content::IndexedDBKey(binary);
836 return true;
837 }
838 case blink::WebIDBKeyTypeString: {
839 base::string16 string;
840 if (!FuzzParam(&string, fuzzer))
841 return false;
842 *p = content::IndexedDBKey(string);
843 return true;
844 }
845 case blink::WebIDBKeyTypeDate:
846 case blink::WebIDBKeyTypeNumber: {
847 double number;
848 if (!FuzzParam(&number, fuzzer)) {
849 --g_depth;
850 return false;
851 }
852 *p = content::IndexedDBKey(number, web_type);
853 return true;
854 }
855 case blink::WebIDBKeyTypeInvalid:
856 case blink::WebIDBKeyTypeNull: {
857 *p = content::IndexedDBKey(web_type);
858 return true;
859 }
860 default: {
861 NOTREACHED();
862 --g_depth;
863 return false;
864 }
865 }
866 }
867 };
868
869 template <>
870 struct FuzzTraits<content::IndexedDBKeyRange> {
871 static bool Fuzz(content::IndexedDBKeyRange* p, Fuzzer* fuzzer) {
872 content::IndexedDBKey lower = p->lower();
873 content::IndexedDBKey upper = p->upper();
874 bool lower_open = p->lower_open();
875 bool upper_open = p->upper_open();
876 if (!FuzzParam(&lower, fuzzer))
877 return false;
878 if (!FuzzParam(&upper, fuzzer))
879 return false;
880 if (!FuzzParam(&lower_open, fuzzer))
881 return false;
882 if (!FuzzParam(&upper_open, fuzzer))
883 return false;
884 *p = content::IndexedDBKeyRange(lower, upper, lower_open, upper_open);
885 return true;
886 }
887 };
888
889 template <>
890 struct FuzzTraits<content::IndexedDBKeyPath> {
891 static bool Fuzz(content::IndexedDBKeyPath* p, Fuzzer* fuzzer) {
892 // TODO(mbarbella): Support mutation.
893 if (!fuzzer->ShouldGenerate())
894 return true;
895
896 switch (RandInRange(3)) {
897 case 0: {
898 std::vector<base::string16> array;
899 if (!FuzzParam(&array, fuzzer))
900 return false;
901 *p = content::IndexedDBKeyPath(array);
902 break;
903 }
904 case 1: {
905 base::string16 string;
906 if (!FuzzParam(&string, fuzzer))
907 return false;
908 *p = content::IndexedDBKeyPath(string);
909 break;
910 }
911 case 2: {
912 *p = content::IndexedDBKeyPath();
913 break;
914 }
915 }
916 return true;
917 }
918 };
919
920 template <>
921 struct FuzzTraits<content::NPIdentifier_Param> {
922 static bool Fuzz(content::NPIdentifier_Param* p, Fuzzer* fuzzer) {
923 // TODO(mbarbella): This should actually do something.
924 return true;
925 }
926 };
927
928 template <>
929 struct FuzzTraits<content::NPVariant_Param> {
930 static bool Fuzz(content::NPVariant_Param* p, Fuzzer* fuzzer) {
931 // TODO(mbarbella): This should actually do something.
932 return true;
933 }
934 };
935
936 template <>
937 struct FuzzTraits<content::PageState> {
938 static bool Fuzz(content::PageState* p, Fuzzer* fuzzer) {
939 std::string data = p->ToEncodedData();
940 if (!FuzzParam(&data, fuzzer))
941 return false;
942 *p = content::PageState::CreateFromEncodedData(data);
943 return true;
944 }
945 };
946
947 template <>
948 struct FuzzTraits<content::SyntheticGesturePacket> {
949 static bool Fuzz(content::SyntheticGesturePacket* p,
950 Fuzzer* fuzzer) {
951 // TODO(mbarbella): Support mutation.
952 if (!fuzzer->ShouldGenerate())
953 return true;
954
955 scoped_ptr<content::SyntheticGestureParams> gesture_params;
956 switch (RandInRange(
957 content::SyntheticGestureParams::SYNTHETIC_GESTURE_TYPE_MAX + 1)) {
958 case content::SyntheticGestureParams::GestureType::
959 SMOOTH_SCROLL_GESTURE: {
960 content::SyntheticSmoothScrollGestureParams* params =
961 new content::SyntheticSmoothScrollGestureParams();
962 if (!FuzzParam(&params->anchor, fuzzer))
963 return false;
964 if (!FuzzParam(&params->distances, fuzzer))
965 return false;
966 if (!FuzzParam(&params->prevent_fling, fuzzer))
967 return false;
968 if (!FuzzParam(&params->speed_in_pixels_s, fuzzer))
969 return false;
970 gesture_params.reset(params);
971 break;
972 }
973 case content::SyntheticGestureParams::GestureType::SMOOTH_DRAG_GESTURE: {
974 content::SyntheticSmoothDragGestureParams* params =
975 new content::SyntheticSmoothDragGestureParams();
976 if (!FuzzParam(&params->start_point, fuzzer))
977 return false;
978 if (!FuzzParam(&params->distances, fuzzer))
979 return false;
980 if (!FuzzParam(&params->speed_in_pixels_s, fuzzer))
981 return false;
982 gesture_params.reset(params);
983 break;
984 }
985 case content::SyntheticGestureParams::GestureType::PINCH_GESTURE: {
986 content::SyntheticPinchGestureParams* params =
987 new content::SyntheticPinchGestureParams();
988 if (!FuzzParam(&params->scale_factor, fuzzer))
989 return false;
990 if (!FuzzParam(&params->anchor, fuzzer))
991 return false;
992 if (!FuzzParam(&params->relative_pointer_speed_in_pixels_s,
993 fuzzer))
994 return false;
995 gesture_params.reset(params);
996 break;
997 }
998 case content::SyntheticGestureParams::GestureType::TAP_GESTURE: {
999 content::SyntheticTapGestureParams* params =
1000 new content::SyntheticTapGestureParams();
1001 if (!FuzzParam(&params->position, fuzzer))
1002 return false;
1003 if (!FuzzParam(&params->duration_ms, fuzzer))
1004 return false;
1005 gesture_params.reset(params);
1006 break;
1007 }
1008 }
1009 p->set_gesture_params(gesture_params.Pass());
1010 return true;
1011 }
1012 };
1013
1014 template <>
1015 struct FuzzTraits<content::WebCursor> {
1016 static bool Fuzz(content::WebCursor* p, Fuzzer* fuzzer) {
1017 content::WebCursor::CursorInfo info;
1018 p->GetCursorInfo(&info);
1019
1020 // |type| enum is not validated on de-serialization, so pick random value.
1021 if (!FuzzParam(reinterpret_cast<int*>(&info.type), fuzzer))
1022 return false;
1023 if (!FuzzParam(&info.hotspot, fuzzer))
1024 return false;
1025 if (!FuzzParam(&info.image_scale_factor, fuzzer))
1026 return false;
1027 if (!FuzzParam(&info.custom_image, fuzzer))
1028 return false;
1029 // Omitting |externalHandle| since it is not serialized.
1030
1031 // Scale factor is expected to be greater than 0, otherwise we hit
1032 // a check failure.
1033 info.image_scale_factor = fabs(info.image_scale_factor) + 0.001;
1034
1035 *p = content::WebCursor(info);
1036 return true;
1037 }
1038 };
1039
1040 template <>
1041 struct FuzzTraits<ContentSettingsPattern> {
1042 static bool Fuzz(ContentSettingsPattern* p, Fuzzer* fuzzer) {
1043 // TODO(mbarbella): This can crash if a pattern is generated from a random
1044 // string. We could carefully generate a pattern or fix pattern generation.
1045 return true;
1046 }
1047 };
1048
1049 template <>
1050 struct FuzzTraits<ExtensionMsg_PermissionSetStruct> {
1051 static bool Fuzz(ExtensionMsg_PermissionSetStruct* p,
1052 Fuzzer* fuzzer) {
1053 // TODO(mbarbella): This should actually do something.
1054 return true;
1055 }
1056 };
1057
1058 template <>
1059 struct FuzzTraits<extensions::URLPatternSet> {
1060 static bool Fuzz(extensions::URLPatternSet* p, Fuzzer* fuzzer) {
1061 std::set<URLPattern> patterns = p->patterns();
1062 if (!FuzzParam(&patterns, fuzzer))
1063 return false;
1064 *p = extensions::URLPatternSet(patterns);
1065 return true;
1066 }
1067 };
1068
1069 template <>
1070 struct FuzzTraits<gfx::Point> {
1071 static bool Fuzz(gfx::Point* p, Fuzzer* fuzzer) {
1072 int x = p->x();
1073 int y = p->y();
1074 if (!FuzzParam(&x, fuzzer))
1075 return false;
1076 if (!FuzzParam(&y, fuzzer))
1077 return false;
1078 p->SetPoint(x, y);
1079 return true;
1080 }
1081 };
1082
1083 template <>
1084 struct FuzzTraits<gfx::PointF> {
1085 static bool Fuzz(gfx::PointF* p, Fuzzer* fuzzer) {
1086 float x = p->x();
1087 float y = p->y();
1088 if (!FuzzParam(&x, fuzzer))
1089 return false;
1090 if (!FuzzParam(&y, fuzzer))
1091 return false;
1092 p->SetPoint(x, y);
1093 return true;
1094 }
1095 };
1096
1097 template <>
1098 struct FuzzTraits<gfx::Rect> {
1099 static bool Fuzz(gfx::Rect* p, Fuzzer* fuzzer) {
1100 gfx::Point origin = p->origin();
1101 gfx::Size size = p->size();
1102 if (!FuzzParam(&origin, fuzzer))
1103 return false;
1104 if (!FuzzParam(&size, fuzzer))
1105 return false;
1106 p->set_origin(origin);
1107 p->set_size(size);
1108 return true;
1109 }
1110 };
1111
1112 template <>
1113 struct FuzzTraits<gfx::RectF> {
1114 static bool Fuzz(gfx::RectF* p, Fuzzer* fuzzer) {
1115 gfx::PointF origin = p->origin();
1116 gfx::SizeF size = p->size();
1117 if (!FuzzParam(&origin, fuzzer))
1118 return false;
1119 if (!FuzzParam(&size, fuzzer))
1120 return false;
1121 p->set_origin(origin);
1122 p->set_size(size);
1123 return true;
1124 }
1125 };
1126
1127 template <>
1128 struct FuzzTraits<gfx::Range> {
1129 static bool Fuzz(gfx::Range* p, Fuzzer* fuzzer) {
1130 size_t start = p->start();
1131 size_t end = p->end();
1132 if (!FuzzParam(&start, fuzzer))
1133 return false;
1134 if (!FuzzParam(&end, fuzzer))
1135 return false;
1136 *p = gfx::Range(start, end);
1137 return true;
1138 }
1139 };
1140
1141 template <>
1142 struct FuzzTraits<gfx::Size> {
1143 static bool Fuzz(gfx::Size* p, Fuzzer* fuzzer) {
1144 int width = p->width();
1145 int height = p->height();
1146 if (!FuzzParam(&width, fuzzer))
1147 return false;
1148 if (!FuzzParam(&height, fuzzer))
1149 return false;
1150 p->SetSize(width, height);
1151 return true;
1152 }
1153 };
1154
1155 template <>
1156 struct FuzzTraits<gfx::SizeF> {
1157 static bool Fuzz(gfx::SizeF* p, Fuzzer* fuzzer) {
1158 float w;
1159 float h;
1160 if (!FuzzParam(&w, fuzzer))
1161 return false;
1162 if (!FuzzParam(&h, fuzzer))
1163 return false;
1164 p->SetSize(w, h);
1165 return true;
1166 }
1167 };
1168
1169 template <>
1170 struct FuzzTraits<gfx::Transform> {
1171 static bool Fuzz(gfx::Transform* p, Fuzzer* fuzzer) {
1172 SkMScalar matrix[16];
1173 for (size_t i = 0; i < arraysize(matrix); i++) {
1174 matrix[i] = p->matrix().get(i / 4, i % 4);
1175 }
1176 if (!FuzzParamArray(&matrix[0], arraysize(matrix), fuzzer))
1177 return false;
1178 *p = gfx::Transform(matrix[0], matrix[1], matrix[2], matrix[3], matrix[4],
1179 matrix[5], matrix[6], matrix[7], matrix[8], matrix[9],
1180 matrix[10], matrix[11], matrix[12], matrix[13],
1181 matrix[14], matrix[15]);
1182 return true;
1183 }
1184 };
1185
1186 template <>
1187 struct FuzzTraits<gfx::Vector2d> {
1188 static bool Fuzz(gfx::Vector2d* p, Fuzzer* fuzzer) {
1189 int x = p->x();
1190 int y = p->y();
1191 if (!FuzzParam(&x, fuzzer))
1192 return false;
1193 if (!FuzzParam(&y, fuzzer))
1194 return false;
1195 *p = gfx::Vector2d(x, y);
1196 return true;
1197 }
1198 };
1199
1200 template <>
1201 struct FuzzTraits<gfx::Vector2dF> {
1202 static bool Fuzz(gfx::Vector2dF* p, Fuzzer* fuzzer) {
1203 float x = p->x();
1204 float y = p->y();
1205 if (!FuzzParam(&x, fuzzer))
1206 return false;
1207 if (!FuzzParam(&y, fuzzer))
1208 return false;
1209 *p = gfx::Vector2dF(x, y);
1210 return true;
1211 }
1212 };
1213
1214 template <>
1215 struct FuzzTraits<gpu::Mailbox> {
1216 static bool Fuzz(gpu::Mailbox* p, Fuzzer* fuzzer) {
1217 fuzzer->FuzzBytes(p->name, sizeof(p->name));
1218 return true;
1219 }
1220 };
1221
1222 template <>
1223 struct FuzzTraits<gpu::MailboxHolder> {
1224 static bool Fuzz(gpu::MailboxHolder* p, Fuzzer* fuzzer) {
1225 if (!FuzzParam(&p->mailbox, fuzzer))
1226 return false;
1227 if (!FuzzParam(&p->texture_target, fuzzer))
1228 return false;
1229 if (!FuzzParam(&p->sync_point, fuzzer))
1230 return false;
1231 return true;
1232 }
1233 };
1234
1235 template <>
1236 struct FuzzTraits<gpu::ValueState> {
1237 static bool Fuzz(gpu::ValueState* p, Fuzzer* fuzzer) {
1238 if (!FuzzParamArray(&p->float_value[0], 4, fuzzer))
1239 return false;
1240 if (!FuzzParamArray(&p->int_value[0], 4, fuzzer))
1241 return false;
1242 return true;
1243 }
1244 };
1245
1246 template <>
1247 struct FuzzTraits<GURL> {
1248 static bool Fuzz(GURL* p, Fuzzer* fuzzer) {
1249 if (!fuzzer->ShouldGenerate()) {
1250 std::string spec = p->possibly_invalid_spec();
1251 if (!FuzzParam(&spec, fuzzer))
1252 return false;
1253 if (spec != p->possibly_invalid_spec())
1254 *p = GURL(spec);
1255 return true;
1256 }
1257
1258 const char url_chars[] = "Ahtp0:/.?+\\%&#";
1259 size_t count = RandInRange(100);
1260 std::string random_url;
1261 for (size_t i = 0; i < count; ++i)
1262 random_url += url_chars[RandInRange(sizeof(url_chars) - 1)];
1263 int selector = RandInRange(10);
1264 if (selector == 0)
1265 random_url = std::string("http://") + random_url;
1266 else if (selector == 1)
1267 random_url = std::string("file://") + random_url;
1268 else if (selector == 2)
1269 random_url = std::string("javascript:") + random_url;
1270 else if (selector == 2)
1271 random_url = std::string("data:") + random_url;
1272 *p = GURL(random_url);
1273 return true;
1274 }
1275 };
1276
1277 #if defined(OS_WIN)
1278 template <>
1279 struct FuzzTraits<HWND> {
1280 static bool Fuzz(HWND* p, Fuzzer* fuzzer) {
1281 // TODO(aarya): This should actually do something.
1282 return true;
1283 }
1284 };
1285 #endif
1286
1287 template <>
1288 struct FuzzTraits<IPC::Message> {
1289 static bool Fuzz(IPC::Message* p, Fuzzer* fuzzer) {
1290 // TODO(mbarbella): Support mutation.
1291 if (!fuzzer->ShouldGenerate())
1292 return true;
1293
1294 if (g_function_vector.empty())
1295 return false;
1296 size_t index = RandInRange(g_function_vector.size());
1297 IPC::Message* ipc_message = (*g_function_vector[index])(NULL, fuzzer);
1298 if (!ipc_message)
1299 return false;
1300 p = ipc_message;
1301 return true;
1302 }
1303 };
1304
1305 template <>
1306 struct FuzzTraits<IPC::PlatformFileForTransit> {
1307 static bool Fuzz(IPC::PlatformFileForTransit* p, Fuzzer* fuzzer) {
1308 // TODO(inferno): I don't think we can generate real ones due to check on
1309 // construct.
1310 return true;
1311 }
1312 };
1313
1314 template <>
1315 struct FuzzTraits<IPC::ChannelHandle> {
1316 static bool Fuzz(IPC::ChannelHandle* p, Fuzzer* fuzzer) {
1317 // TODO(mbarbella): Support mutation.
1318 if (!fuzzer->ShouldGenerate())
1319 return true;
1320
1321 // TODO(inferno): Add way to generate real channel handles.
1322 #if defined(OS_WIN)
1323 HANDLE fake_handle = (HANDLE)(RandU64());
1324 p->pipe = IPC::ChannelHandle::PipeHandle(fake_handle);
1325 return true;
1326 #elif defined(OS_POSIX)
1327 return
1328 FuzzParam(&p->name, fuzzer) &&
1329 FuzzParam(&p->socket, fuzzer);
1330 #endif
1331 }
1332 };
1333
1334 #if defined(OS_WIN)
1335 template <>
1336 struct FuzzTraits<LOGFONT> {
1337 static bool Fuzz(LOGFONT* p, Fuzzer* fuzzer) {
1338 // TODO(aarya): This should actually do something.
1339 return true;
1340 }
1341 };
1342 #endif
1343
1344 template <>
1345 struct FuzzTraits<media::AudioParameters> {
1346 static bool Fuzz(media::AudioParameters* p, Fuzzer* fuzzer) {
1347 int format = p->format();
1348 int channel_layout = p->channel_layout();
1349 int sample_rate = p->sample_rate();
1350 int bits_per_sample = p->bits_per_sample();
1351 int frames_per_buffer = p->frames_per_buffer();
1352 int channels = p->channels();
1353 int effects = p->effects();
1354 if (!FuzzParam(&format, fuzzer))
1355 return false;
1356 if (!FuzzParam(&channel_layout, fuzzer))
1357 return false;
1358 if (!FuzzParam(&sample_rate, fuzzer))
1359 return false;
1360 if (!FuzzParam(&bits_per_sample, fuzzer))
1361 return false;
1362 if (!FuzzParam(&frames_per_buffer, fuzzer))
1363 return false;
1364 if (!FuzzParam(&channels, fuzzer))
1365 return false;
1366 if (!FuzzParam(&effects, fuzzer))
1367 return false;
1368 media::AudioParameters params(
1369 static_cast<media::AudioParameters::Format>(format),
1370 static_cast<media::ChannelLayout>(channel_layout), channels,
1371 sample_rate, bits_per_sample, frames_per_buffer, effects);
1372 *p = params;
1373 return true;
1374 }
1375 };
1376
1377 template <>
1378 struct FuzzTraits<media::VideoCaptureFormat> {
1379 static bool Fuzz(media::VideoCaptureFormat* p, Fuzzer* fuzzer) {
1380 if (!FuzzParam(&p->frame_size, fuzzer))
1381 return false;
1382 if (!FuzzParam(&p->frame_rate, fuzzer))
1383 return false;
1384 if (!FuzzParam(reinterpret_cast<int*>(&p->pixel_format), fuzzer))
1385 return false;
1386 return true;
1387 }
1388 };
1389
1390 template <>
1391 struct FuzzTraits<net::LoadTimingInfo> {
1392 static bool Fuzz(net::LoadTimingInfo* p, Fuzzer* fuzzer) {
1393 return FuzzParam(&p->socket_log_id, fuzzer) &&
1394 FuzzParam(&p->socket_reused, fuzzer) &&
1395 FuzzParam(&p->request_start_time, fuzzer) &&
1396 FuzzParam(&p->request_start, fuzzer) &&
1397 FuzzParam(&p->proxy_resolve_start, fuzzer) &&
1398 FuzzParam(&p->proxy_resolve_end, fuzzer) &&
1399 FuzzParam(&p->connect_timing.dns_start, fuzzer) &&
1400 FuzzParam(&p->connect_timing.dns_end, fuzzer) &&
1401 FuzzParam(&p->connect_timing.connect_start, fuzzer) &&
1402 FuzzParam(&p->connect_timing.connect_end, fuzzer) &&
1403 FuzzParam(&p->connect_timing.ssl_start, fuzzer) &&
1404 FuzzParam(&p->connect_timing.ssl_end, fuzzer) &&
1405 FuzzParam(&p->send_start, fuzzer) &&
1406 FuzzParam(&p->send_end, fuzzer) &&
1407 FuzzParam(&p->receive_headers_end, fuzzer);
1408 }
1409 };
1410
1411 template <>
1412 struct FuzzTraits<net::HostPortPair> {
1413 static bool Fuzz(net::HostPortPair* p, Fuzzer* fuzzer) {
1414 std::string host = p->host();
1415 uint16 port = p->port();
1416 if (!FuzzParam(&host, fuzzer))
1417 return false;
1418 if (!FuzzParam(&port, fuzzer))
1419 return false;
1420 p->set_host(host);
1421 p->set_port(port);
1422 return true;
1423 }
1424 };
1425
1426 template <>
1427 struct FuzzTraits<net::IPEndPoint> {
1428 static bool Fuzz(net::IPEndPoint* p, Fuzzer* fuzzer) {
1429 net::IPAddressNumber address = p->address();
1430 int port = p->port();
1431 if (!FuzzParam(&address, fuzzer))
1432 return false;
1433 if (!FuzzParam(&port, fuzzer))
1434 return false;
1435 net::IPEndPoint ip_endpoint(address, port);
1436 *p = ip_endpoint;
1437 return true;
1438 }
1439 };
1440
1441 template <>
1442 struct FuzzTraits<network_hints::LookupRequest> {
1443 static bool Fuzz(network_hints::LookupRequest* p, Fuzzer* fuzzer) {
1444 if (!FuzzParam(&p->hostname_list, fuzzer))
1445 return false;
1446 return true;
1447 }
1448 };
1449
1450 // PP_ traits.
1451 template <>
1452 struct FuzzTraits<PP_Bool> {
1453 static bool Fuzz(PP_Bool* p, Fuzzer* fuzzer) {
1454 bool tmp = PP_ToBool(*p);
1455 if (!FuzzParam(&tmp, fuzzer))
1456 return false;
1457 *p = PP_FromBool(tmp);
1458 return true;
1459 }
1460 };
1461
1462 template <>
1463 struct FuzzTraits<PP_KeyInformation> {
1464 static bool Fuzz(PP_KeyInformation* p, Fuzzer* fuzzer) {
1465 // TODO(mbarbella): This should actually do something.
1466 return true;
1467 }
1468 };
1469
1470 template <>
1471 struct FuzzTraits<PP_NetAddress_Private> {
1472 static bool Fuzz(PP_NetAddress_Private* p, Fuzzer* fuzzer) {
1473 p->size = RandInRange(sizeof(p->data) + 1);
1474 fuzzer->FuzzBytes(&p->data, p->size);
1475 return true;
1476 }
1477 };
1478
1479 template <>
1480 struct FuzzTraits<ppapi::PPB_X509Certificate_Fields> {
1481 static bool Fuzz(ppapi::PPB_X509Certificate_Fields* p,
1482 Fuzzer* fuzzer) {
1483 // TODO(mbarbella): This should actually do something.
1484 return true;
1485 }
1486 };
1487
1488 template <>
1489 struct FuzzTraits<ppapi::proxy::PPBFlash_DrawGlyphs_Params> {
1490 static bool Fuzz(ppapi::proxy::PPBFlash_DrawGlyphs_Params* p,
1491 Fuzzer* fuzzer) {
1492 // TODO(mbarbella): This should actually do something.
1493 return true;
1494 }
1495 };
1496
1497 template <>
1498 struct FuzzTraits<ppapi::proxy::ResourceMessageCallParams> {
1499 static bool Fuzz(
1500 ppapi::proxy::ResourceMessageCallParams* p, Fuzzer* fuzzer) {
1501 // TODO(mbarbella): Support mutation.
1502 if (!fuzzer->ShouldGenerate())
1503 return true;
1504
1505 PP_Resource resource;
1506 int32_t sequence;
1507 bool has_callback;
1508 if (!FuzzParam(&resource, fuzzer))
1509 return false;
1510 if (!FuzzParam(&sequence, fuzzer))
1511 return false;
1512 if (!FuzzParam(&has_callback, fuzzer))
1513 return false;
1514 *p = ppapi::proxy::ResourceMessageCallParams(resource, sequence);
1515 if (has_callback)
1516 p->set_has_callback();
1517 return true;
1518 }
1519 };
1520
1521 template <>
1522 struct FuzzTraits<ppapi::proxy::ResourceMessageReplyParams> {
1523 static bool Fuzz(
1524 ppapi::proxy::ResourceMessageReplyParams* p, Fuzzer* fuzzer) {
1525 // TODO(mbarbella): Support mutation.
1526 if (!fuzzer->ShouldGenerate())
1527 return true;
1528
1529 PP_Resource resource;
1530 int32_t sequence;
1531 int32_t result;
1532 if (!FuzzParam(&resource, fuzzer))
1533 return false;
1534 if (!FuzzParam(&sequence, fuzzer))
1535 return false;
1536 if (!FuzzParam(&result, fuzzer))
1537 return false;
1538 *p = ppapi::proxy::ResourceMessageReplyParams(resource, sequence);
1539 p->set_result(result);
1540 return true;
1541 }
1542 };
1543
1544 template <>
1545 struct FuzzTraits<ppapi::proxy::SerializedHandle> {
1546 static bool Fuzz(ppapi::proxy::SerializedHandle* p,
1547 Fuzzer* fuzzer) {
1548 // TODO(mbarbella): This should actually do something.
1549 return true;
1550 }
1551 };
1552
1553 template <>
1554 struct FuzzTraits<ppapi::proxy::SerializedFontDescription> {
1555 static bool Fuzz(ppapi::proxy::SerializedFontDescription* p,
1556 Fuzzer* fuzzer) {
1557 // TODO(mbarbella): This should actually do something.
1558 return true;
1559 }
1560 };
1561
1562 template <>
1563 struct FuzzTraits<ppapi::proxy::SerializedTrueTypeFontDesc> {
1564 static bool Fuzz(ppapi::proxy::SerializedTrueTypeFontDesc* p,
1565 Fuzzer* fuzzer) {
1566 // TODO(mbarbella): This should actually do something.
1567 return true;
1568 }
1569 };
1570
1571 template <>
1572 struct FuzzTraits<ppapi::proxy::SerializedVar> {
1573 static bool Fuzz(ppapi::proxy::SerializedVar* p, Fuzzer* fuzzer) {
1574 // TODO(mbarbella): This should actually do something.
1575 return true;
1576 }
1577 };
1578
1579 template <>
1580 struct FuzzTraits<ppapi::HostResource> {
1581 static bool Fuzz(ppapi::HostResource* p, Fuzzer* fuzzer) {
1582 // TODO(mbarbella): Support mutation.
1583 if (!fuzzer->ShouldGenerate())
1584 return true;
1585
1586 PP_Instance instance;
1587 PP_Resource resource;
1588 if (!FuzzParam(&instance, fuzzer))
1589 return false;
1590 if (!FuzzParam(&resource, fuzzer))
1591 return false;
1592 p->SetHostResource(instance, resource);
1593 return true;
1594 }
1595 };
1596
1597 template <>
1598 struct FuzzTraits<ppapi::PepperFilePath> {
1599 static bool Fuzz(ppapi::PepperFilePath *p, Fuzzer* fuzzer) {
1600 // TODO(mbarbella): Support mutation.
1601 if (!fuzzer->ShouldGenerate())
1602 return true;
1603
1604 unsigned domain = RandInRange(ppapi::PepperFilePath::DOMAIN_MAX_VALID+1);
1605 base::FilePath path;
1606 if (!FuzzParam(&path, fuzzer))
1607 return false;
1608 *p = ppapi::PepperFilePath(
1609 static_cast<ppapi::PepperFilePath::Domain>(domain), path);
1610 return true;
1611 }
1612 };
1613
1614 template <>
1615 struct FuzzTraits<ppapi::PpapiPermissions> {
1616 static bool Fuzz(ppapi::PpapiPermissions* p, Fuzzer* fuzzer) {
1617 uint32_t bits = p->GetBits();
1618 if (!FuzzParam(&bits, fuzzer))
1619 return false;
1620 *p = ppapi::PpapiPermissions(bits);
1621 return true;
1622 }
1623 };
1624
1625 template <>
1626 struct FuzzTraits<ppapi::SocketOptionData> {
1627 static bool Fuzz(ppapi::SocketOptionData* p, Fuzzer* fuzzer) {
1628 // TODO(mbarbella): This can be improved.
1629 int32 tmp;
1630 p->GetInt32(&tmp);
1631 if (!FuzzParam(&tmp, fuzzer))
1632 return false;
1633 p->SetInt32(tmp);
1634 return true;
1635 }
1636 };
1637
1638 template <>
1639 struct FuzzTraits<printing::PdfRenderSettings> {
1640 static bool Fuzz(printing::PdfRenderSettings* p, Fuzzer* fuzzer) {
1641 gfx::Rect area = p->area();
1642 int dpi = p->dpi();
1643 bool autorotate = p->autorotate();
1644 if (!FuzzParam(&area, fuzzer))
1645 return false;
1646 if (!FuzzParam(&dpi, fuzzer))
1647 return false;
1648 if (!FuzzParam(&autorotate, fuzzer))
1649 return false;
1650 *p = printing::PdfRenderSettings(area, dpi, autorotate);
1651 return true;
1652 }
1653 };
1654
1655 template <>
1656 struct FuzzTraits<remoting::ScreenResolution> {
1657 static bool Fuzz(remoting::ScreenResolution* p, Fuzzer* fuzzer) {
1658 webrtc::DesktopSize dimensions = p->dimensions();
1659 webrtc::DesktopVector dpi = p->dpi();
1660 if (!FuzzParam(&dimensions, fuzzer))
1661 return false;
1662 if (!FuzzParam(&dpi, fuzzer))
1663 return false;
1664 *p = remoting::ScreenResolution(dimensions, dpi);
1665 return true;
1666 }
1667 };
1668
1669 template <>
1670 struct FuzzTraits<SkBitmap> {
1671 static bool Fuzz(SkBitmap* p, Fuzzer* fuzzer) {
1672 // TODO(mbarbella): This should actually do something.
1673 return true;
1674 }
1675 };
1676
1677 template <>
1678 struct FuzzTraits<storage::DataElement> {
1679 static bool Fuzz(storage::DataElement* p, Fuzzer* fuzzer) {
1680 // TODO(mbarbella): Support mutation.
1681 if (!fuzzer->ShouldGenerate())
1682 return true;
1683
1684 switch (RandInRange(4)) {
1685 case storage::DataElement::Type::TYPE_BYTES: {
1686 if (RandEvent(2)) {
1687 p->SetToEmptyBytes();
1688 } else {
1689 char data[256];
1690 int data_len = RandInRange(sizeof(data));
1691 fuzzer->FuzzBytes(&data[0], data_len);
1692 p->SetToBytes(&data[0], data_len);
1693 }
1694 return true;
1695 }
1696 case storage::DataElement::Type::TYPE_FILE: {
1697 base::FilePath path;
1698 uint64 offset;
1699 uint64 length;
1700 base::Time modification_time;
1701 if (!FuzzParam(&path, fuzzer))
1702 return false;
1703 if (!FuzzParam(&offset, fuzzer))
1704 return false;
1705 if (!FuzzParam(&length, fuzzer))
1706 return false;
1707 if (!FuzzParam(&modification_time, fuzzer))
1708 return false;
1709 p->SetToFilePathRange(path, offset, length, modification_time);
1710 return true;
1711 }
1712 case storage::DataElement::Type::TYPE_BLOB: {
1713 std::string uuid;
1714 uint64 offset;
1715 uint64 length;
1716 if (!FuzzParam(&uuid, fuzzer))
1717 return false;
1718 if (!FuzzParam(&offset, fuzzer))
1719 return false;
1720 if (!FuzzParam(&length, fuzzer))
1721 return false;
1722 p->SetToBlobRange(uuid, offset, length);
1723 return true;
1724 }
1725 case storage::DataElement::Type::TYPE_FILE_FILESYSTEM: {
1726 GURL url;
1727 uint64 offset;
1728 uint64 length;
1729 base::Time modification_time;
1730 if (!FuzzParam(&url, fuzzer))
1731 return false;
1732 if (!FuzzParam(&offset, fuzzer))
1733 return false;
1734 if (!FuzzParam(&length, fuzzer))
1735 return false;
1736 if (!FuzzParam(&modification_time, fuzzer))
1737 return false;
1738 p->SetToFileSystemUrlRange(url, offset, length, modification_time);
1739 return true;
1740 }
1741 default: {
1742 NOTREACHED();
1743 return false;
1744 }
1745 }
1746 }
1747 };
1748
1749 template <>
1750 struct FuzzTraits<ui::LatencyInfo> {
1751 static bool Fuzz(ui::LatencyInfo* p, Fuzzer* fuzzer) {
1752 // TODO(inferno): Add param traits for |latency_components|.
1753 p->input_coordinates_size = static_cast<uint32>(
1754 RandInRange(ui::LatencyInfo::kMaxInputCoordinates + 1));
1755 if (!FuzzParamArray(
1756 &p->input_coordinates[0], p->input_coordinates_size, fuzzer))
1757 return false;
1758 if (!FuzzParam(&p->trace_id, fuzzer))
1759 return false;
1760 if (!FuzzParam(&p->terminated, fuzzer))
1761 return false;
1762 return true;
1763 }
1764 };
1765
1766 template <>
1767 struct FuzzTraits<ui::LatencyInfo::InputCoordinate> {
1768 static bool Fuzz(
1769 ui::LatencyInfo::InputCoordinate* p, Fuzzer* fuzzer) {
1770 if (!FuzzParam(&p->x, fuzzer))
1771 return false;
1772 if (!FuzzParam(&p->y, fuzzer))
1773 return false;
1774 return true;
1775 }
1776 };
1777
1778 template <>
1779 struct FuzzTraits<url::Origin> {
1780 static bool Fuzz(url::Origin* p, Fuzzer* fuzzer) {
1781 std::string origin = p->string();
1782 if (!FuzzParam(&origin, fuzzer))
1783 return false;
1784 *p = url::Origin(origin);
1785 return true;
1786 }
1787 };
1788
1789 template <>
1790 struct FuzzTraits<URLPattern> {
1791 static bool Fuzz(URLPattern* p, Fuzzer* fuzzer) {
1792 int valid_schemes = p->valid_schemes();
1793 std::string host = p->host();
1794 std::string port = p->port();
1795 std::string path = p->path();
1796 if (!FuzzParam(&valid_schemes, fuzzer))
1797 return false;
1798 if (!FuzzParam(&host, fuzzer))
1799 return false;
1800 if (!FuzzParam(&port, fuzzer))
1801 return false;
1802 if (!FuzzParam(&path, fuzzer))
1803 return false;
1804 *p = URLPattern(valid_schemes);
1805 p->SetHost(host);
1806 p->SetPort(port);
1807 p->SetPath(path);
1808 return true;
1809 }
1810 };
1811
1812 template <>
1813 struct FuzzTraits<webrtc::DesktopSize> {
1814 static bool Fuzz(webrtc::DesktopSize* p, Fuzzer* fuzzer) {
1815 int32_t width = p->width();
1816 int32_t height = p->height();
1817 if (!FuzzParam(&width, fuzzer))
1818 return false;
1819 if (!FuzzParam(&height, fuzzer))
1820 return false;
1821 *p = webrtc::DesktopSize(width, height);
1822 return true;
1823 }
1824 };
1825
1826 template <>
1827 struct FuzzTraits<webrtc::DesktopVector> {
1828 static bool Fuzz(webrtc::DesktopVector* p, Fuzzer* fuzzer) {
1829 int32_t x = p->x();
1830 int32_t y = p->y();
1831 if (!FuzzParam(&x, fuzzer))
1832 return false;
1833 if (!FuzzParam(&y, fuzzer))
1834 return false;
1835 p->set(x, y);
1836 return true;
1837 }
1838 };
1839
1840 template <>
1841 struct FuzzTraits<webrtc::DesktopRect> {
1842 static bool Fuzz(webrtc::DesktopRect* p, Fuzzer* fuzzer) {
1843 int32_t left = p->left();
1844 int32_t top = p->top();
1845 int32_t right = p->right();
1846 int32_t bottom = p->bottom();
1847 if (!FuzzParam(&left, fuzzer))
1848 return false;
1849 if (!FuzzParam(&top, fuzzer))
1850 return false;
1851 if (!FuzzParam(&right, fuzzer))
1852 return false;
1853 if (!FuzzParam(&bottom, fuzzer))
1854 return false;
1855 *p = webrtc::DesktopRect::MakeLTRB(left, top, right, bottom);
1856 return true;
1857 }
1858 };
1859
1860 template <>
1861 struct FuzzTraits<webrtc::MouseCursor> {
1862 static bool Fuzz(webrtc::MouseCursor* p, Fuzzer* fuzzer) {
1863 webrtc::DesktopVector hotspot = p->hotspot();
1864 if (!FuzzParam(&hotspot, fuzzer))
1865 return false;
1866 p->set_hotspot(hotspot);
1867
1868 // TODO(mbarbella): Find a way to handle the size mutation properly.
1869 if (!fuzzer->ShouldGenerate())
1870 return false;
1871
1872 // Using a small size here to avoid OOM or overflow on image allocation.
1873 webrtc::DesktopSize size(RandInRange(100), RandInRange(100));
1874 p->set_image(new webrtc::BasicDesktopFrame(size));
1875 return true;
1876 }
1877 };
1878
1879 // Redefine macros to generate generating from traits declarations.
1880 // STRUCT declarations cause corresponding STRUCT_TRAITS declarations to occur.
1881 #undef IPC_STRUCT_BEGIN
1882 #undef IPC_STRUCT_BEGIN_WITH_PARENT
1883 #undef IPC_STRUCT_MEMBER
1884 #undef IPC_STRUCT_END
1885 #define IPC_STRUCT_BEGIN_WITH_PARENT(struct_name, parent) \
1886 IPC_STRUCT_BEGIN(struct_name)
1887 #define IPC_STRUCT_BEGIN(struct_name) IPC_STRUCT_TRAITS_BEGIN(struct_name)
1888 #define IPC_STRUCT_MEMBER(type, name, ...) IPC_STRUCT_TRAITS_MEMBER(name)
1889 #define IPC_STRUCT_END() IPC_STRUCT_TRAITS_END()
1890
1891 // Set up so next include will generate generate trait classes.
1892 #undef IPC_STRUCT_TRAITS_BEGIN
1893 #undef IPC_STRUCT_TRAITS_MEMBER
1894 #undef IPC_STRUCT_TRAITS_PARENT
1895 #undef IPC_STRUCT_TRAITS_END
1896 #define IPC_STRUCT_TRAITS_BEGIN(struct_name) \
1897 template <> \
1898 struct FuzzTraits<struct_name> { \
1899 static bool Fuzz(struct_name *p, Fuzzer* fuzzer) {
1900
1901 #define IPC_STRUCT_TRAITS_MEMBER(name) \
1902 if (!FuzzParam(&p->name, fuzzer)) \
1903 return false;
1904
1905 #define IPC_STRUCT_TRAITS_PARENT(type) \
1906 if (!FuzzParam(static_cast<type*>(p), fuzzer)) \
1907 return false;
1908
1909 #define IPC_STRUCT_TRAITS_END() \
1910 return true; \
1911 } \
1912 };
1913
1914 // If |condition| isn't met, the messsge will fail to serialize. Try
1915 // increasingly smaller ranges until we find one that happens to meet
1916 // the condition, or fail trying.
1917 // TODO(mbarbella): Attempt to validate even in the mutation case.
1918 #undef IPC_ENUM_TRAITS_VALIDATE
1919 #define IPC_ENUM_TRAITS_VALIDATE(enum_name, condition) \
1920 template <> \
1921 struct FuzzTraits<enum_name> { \
1922 static bool Fuzz(enum_name* p, Fuzzer* fuzzer) { \
1923 if (!fuzzer->ShouldGenerate()) { \
1924 return FuzzParam(reinterpret_cast<int*>(p), fuzzer); \
1925 } \
1926 for (int shift = 30; shift; --shift) { \
1927 for (int tries = 0; tries < 2; ++tries) { \
1928 int value = RandInRange(1 << shift); \
1929 if (condition) { \
1930 *reinterpret_cast<int*>(p) = value; \
1931 return true; \
1932 } \
1933 } \
1934 } \
1935 std::cerr << "failed to satisfy " << #condition << "\n"; \
1936 return false; \
1937 } \
1938 };
1939
1940 // Bring them into existence.
1941 #include "tools/ipc_fuzzer/message_lib/all_messages.h"
1942 #include "ipc/ipc_message_null_macros.h"
1943
1944 // Redefine macros to generate generating funtions
1945 #undef IPC_MESSAGE_DECL
1946 #define IPC_MESSAGE_DECL(kind, type, name, in, out, ilist, olist) \
1947 IPC_##kind##_##type##_FUZZ(name, in, out, ilist, olist)
1948
1949 #define IPC_EMPTY_CONTROL_FUZZ(name, in, out, ilist, olist) \
1950 IPC::Message* fuzzer_for_##name(IPC::Message* msg, Fuzzer* fuzzer) { \
1951 if (msg) { \
1952 return NULL; \
1953 } \
1954 return new name(); \
1955 }
1956
1957 #define IPC_EMPTY_ROUTED_FUZZ(name, in, out, ilist, olist) \
1958 IPC::Message* fuzzer_for_##name(IPC::Message* msg, Fuzzer* fuzzer) { \
1959 if (msg) { \
1960 return NULL; \
1961 } \
1962 return new name(RandInRange(MAX_FAKE_ROUTING_ID)); \
1963 }
1964
1965 #define IPC_ASYNC_CONTROL_FUZZ(name, in, out, ilist, olist) \
1966 IPC::Message* fuzzer_for_##name(IPC::Message* msg, Fuzzer* fuzzer) { \
1967 IPC_TUPLE_IN_##in ilist p; \
1968 if (msg) { \
1969 name::Read(static_cast<name*>(msg), &p); \
1970 } \
1971 if (FuzzParam(&p, fuzzer)) { \
1972 return new name(IPC_MEMBERS_IN_##in(p)); \
1973 } \
1974 std::cerr << "Don't know how to handle " << #name << "\n"; \
1975 return 0; \
1976 }
1977
1978 #define IPC_ASYNC_ROUTED_FUZZ(name, in, out, ilist, olist) \
1979 IPC::Message* fuzzer_for_##name(IPC::Message* msg, Fuzzer* fuzzer) { \
1980 IPC_TUPLE_IN_##in ilist p; \
1981 if (msg) { \
1982 name::Read(static_cast<name*>(msg), &p); \
1983 } \
1984 if (FuzzParam(&p, fuzzer)) { \
1985 return new name(RandInRange(MAX_FAKE_ROUTING_ID) \
1986 IPC_COMMA_##in \
1987 IPC_MEMBERS_IN_##in(p)); \
1988 } \
1989 std::cerr << "Don't know how to handle " << #name << "\n"; \
1990 return 0; \
1991 }
1992
1993 #define IPC_SYNC_CONTROL_FUZZ(name, in, out, ilist, olist) \
1994 IPC::Message* fuzzer_for_##name(IPC::Message* msg, Fuzzer* fuzzer) { \
1995 IPC_TUPLE_IN_##in ilist p; \
1996 name* real_msg = static_cast<name*>(msg); \
1997 name* new_msg = NULL; \
1998 if (real_msg) { \
1999 name::ReadSendParam(real_msg, &p); \
2000 } \
2001 if (FuzzParam(&p, fuzzer)) { \
2002 new_msg = new name(IPC_MEMBERS_IN_##in(p) \
2003 IPC_COMMA_AND_##out(IPC_COMMA_##in) \
2004 IPC_MEMBERS_OUT_##out()); \
2005 } \
2006 if (real_msg && new_msg) { \
2007 MessageCracker::CopyMessageID(new_msg, real_msg); \
2008 } \
2009 else if (!new_msg) { \
2010 std::cerr << "Don't know how to handle " << #name << "\n"; \
2011 } \
2012 return new_msg; \
2013 }
2014
2015 #define IPC_SYNC_ROUTED_FUZZ(name, in, out, ilist, olist) \
2016 IPC::Message* fuzzer_for_##name(IPC::Message* msg, Fuzzer* fuzzer) { \
2017 IPC_TUPLE_IN_##in ilist p; \
2018 name* real_msg = static_cast<name*>(msg); \
2019 name* new_msg = NULL; \
2020 if (real_msg) { \
2021 name::ReadSendParam(real_msg, &p); \
2022 } \
2023 if (FuzzParam(&p, fuzzer)) { \
2024 new_msg = new name(RandInRange(MAX_FAKE_ROUTING_ID) \
2025 IPC_COMMA_OR_##out(IPC_COMMA_##in) \
2026 IPC_MEMBERS_IN_##in(p) \
2027 IPC_COMMA_AND_##out(IPC_COMMA_##in) \
2028 IPC_MEMBERS_OUT_##out()); \
2029 } \
2030 if (real_msg && new_msg) { \
2031 MessageCracker::CopyMessageID(new_msg, real_msg); \
2032 } \
2033 else if (!new_msg) { \
2034 std::cerr << "Don't know how to handle " << #name << "\n"; \
2035 } \
2036 return new_msg; \
2037 }
2038
2039 #define MAX_FAKE_ROUTING_ID 15
2040
2041 #define IPC_MEMBERS_IN_0(p)
2042 #define IPC_MEMBERS_IN_1(p) get<0>(p)
2043 #define IPC_MEMBERS_IN_2(p) get<0>(p), get<1>(p)
2044 #define IPC_MEMBERS_IN_3(p) get<0>(p), get<1>(p), get<2>(p)
2045 #define IPC_MEMBERS_IN_4(p) get<0>(p), get<1>(p), get<2>(p), get<3>(p)
2046 #define IPC_MEMBERS_IN_5(p) get<0>(p), get<1>(p), get<2>(p), get<3>(p), \
2047 get<4>(p)
2048
2049 #define IPC_MEMBERS_OUT_0()
2050 #define IPC_MEMBERS_OUT_1() NULL
2051 #define IPC_MEMBERS_OUT_2() NULL, NULL
2052 #define IPC_MEMBERS_OUT_3() NULL, NULL, NULL
2053 #define IPC_MEMBERS_OUT_4() NULL, NULL, NULL, NULL
2054 #define IPC_MEMBERS_OUT_5() NULL, NULL, NULL, NULL, NULL
2055
2056 #include "tools/ipc_fuzzer/message_lib/all_messages.h"
2057 #include "ipc/ipc_message_null_macros.h"
2058
2059 void PopulateFuzzerFunctionVector(
2060 FuzzerFunctionVector* function_vector) {
2061 #undef IPC_MESSAGE_DECL
2062 #define IPC_MESSAGE_DECL(kind, type, name, in, out, ilist, olist) \
2063 function_vector->push_back(fuzzer_for_##name);
2064 #include "tools/ipc_fuzzer/message_lib/all_messages.h"
2065 }
2066
2067 // Redefine macros to register fuzzing functions into map.
2068 #include "ipc/ipc_message_null_macros.h"
2069 #undef IPC_MESSAGE_DECL
2070 #define IPC_MESSAGE_DECL(kind, type, name, in, out, ilist, olist) \
2071 (*map)[static_cast<uint32>(name::ID)] = fuzzer_for_##name;
2072
2073 void PopulateFuzzerFunctionMap(FuzzerFunctionMap* map) {
2074 #include "tools/ipc_fuzzer/message_lib/all_messages.h"
2075 }
2076
2077 } // namespace ipc_fuzzer
OLDNEW
« tools/ipc_fuzzer/mutate/fuzzer.h ('K') | « tools/ipc_fuzzer/mutate/fuzzer.h ('k') | tools/ipc_fuzzer/mutate/generate.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698