| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_ |
| 6 #define TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_ |
| 7 |
| 8 #include <string> |
| 9 #include <vector> |
| 10 |
| 11 #include "base/basictypes.h" |
| 12 #include "base/strings/string_util.h" |
| 13 #include "ipc/ipc_message.h" |
| 14 |
| 15 namespace ipc_fuzzer { |
| 16 |
| 17 // Interface implemented by those who generate basic types. The types all |
| 18 // correspond to the types which a pickle from base/pickle.h can pickle, |
| 19 // plus the floating point types. |
| 20 class Fuzzer { |
| 21 public: |
| 22 // Functions for various data types. |
| 23 virtual void FuzzBool(bool* value) = 0; |
| 24 virtual void FuzzInt(int* value) = 0; |
| 25 virtual void FuzzLong(long* value) = 0; |
| 26 virtual void FuzzSize(size_t* value) = 0; |
| 27 virtual void FuzzUChar(unsigned char* value) = 0; |
| 28 virtual void FuzzWChar(wchar_t* value) = 0; |
| 29 virtual void FuzzUInt16(uint16* value) = 0; |
| 30 virtual void FuzzUInt32(uint32* value) = 0; |
| 31 virtual void FuzzInt64(int64* value) = 0; |
| 32 virtual void FuzzUInt64(uint64* value) = 0; |
| 33 virtual void FuzzFloat(float* value) = 0; |
| 34 virtual void FuzzDouble(double *value) = 0; |
| 35 virtual void FuzzString(std::string* value) = 0; |
| 36 virtual void FuzzString16(base::string16* value) = 0; |
| 37 virtual void FuzzData(char* data, int length) = 0; |
| 38 virtual void FuzzBytes(void* data, int data_len) = 0; |
| 39 |
| 40 // Used to determine if a completely new value should be generated for |
| 41 // certain types instead of attempting to modify the existing one. |
| 42 virtual bool ShouldGenerate(); |
| 43 }; |
| 44 |
| 45 class NoOpFuzzer : public Fuzzer { |
| 46 public: |
| 47 NoOpFuzzer() {} |
| 48 virtual ~NoOpFuzzer() {} |
| 49 |
| 50 void FuzzBool(bool* value) override {} |
| 51 void FuzzInt(int* value) override {} |
| 52 void FuzzLong(long* value) override {} |
| 53 void FuzzSize(size_t* value) override {} |
| 54 void FuzzUChar(unsigned char* value) override {} |
| 55 void FuzzWChar(wchar_t* value) override {} |
| 56 void FuzzUInt16(uint16* value) override {} |
| 57 void FuzzUInt32(uint32* value) override {} |
| 58 void FuzzInt64(int64* value) override {} |
| 59 void FuzzUInt64(uint64* value) override {} |
| 60 void FuzzFloat(float* value) override {} |
| 61 void FuzzDouble(double* value) override {} |
| 62 void FuzzString(std::string* value) override {} |
| 63 void FuzzString16(base::string16* value) override {} |
| 64 void FuzzData(char* data, int length) override {} |
| 65 void FuzzBytes(void* data, int data_len) override {} |
| 66 }; |
| 67 |
| 68 typedef IPC::Message* (*FuzzerFunction)(IPC::Message*, Fuzzer*); |
| 69 |
| 70 // Used for mutating messages. Once populated, the map associates a message ID |
| 71 // with a FuzzerFunction used for mutation of that message type. |
| 72 typedef base::hash_map<uint32, FuzzerFunction> FuzzerFunctionMap; |
| 73 void PopulateFuzzerFunctionMap(FuzzerFunctionMap* map); |
| 74 |
| 75 // Used for generating new messages. Once populated, the vector contains |
| 76 // FuzzerFunctions for all message types that we know how to generate. |
| 77 typedef std::vector<FuzzerFunction> FuzzerFunctionVector; |
| 78 void PopulateFuzzerFunctionVector(FuzzerFunctionVector* function_vector); |
| 79 |
| 80 // Since IPC::Message can be serialized, we also track a global function vector |
| 81 // to handle generation of new messages while fuzzing. |
| 82 extern FuzzerFunctionVector g_function_vector; |
| 83 |
| 84 } // namespace ipc_fuzzer |
| 85 |
| 86 #endif // TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1000373004:
Combine traits for IPC mutation and generation fuzzing plus other refactoring. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master