| OLD | NEW |
| (Empty) | |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include <iostream> |
| 6 #include <string> |
| 7 |
| 8 #include "base/basictypes.h" |
| 9 #include "base/command_line.h" |
| 10 #include "base/strings/string_util.h" |
| 11 #include "tools/ipc_fuzzer/mutate/generator.h" |
| 12 #include "tools/ipc_fuzzer/mutate/rand_util.h" |
| 13 |
| 14 namespace ipc_fuzzer { |
| 15 |
| 16 template <typename T> |
| 17 void GenerateIntegralType(T* value) { |
| 18 switch (RandInRange(16)) { |
| 19 case 0: |
| 20 *value = static_cast<T>(0); |
| 21 break; |
| 22 case 1: |
| 23 *value = static_cast<T>(1); |
| 24 break; |
| 25 case 2: |
| 26 *value = static_cast<T>(-1); |
| 27 break; |
| 28 case 3: |
| 29 *value = static_cast<T>(2); |
| 30 break; |
| 31 default: |
| 32 *value = static_cast<T>(RandU64()); |
| 33 break; |
| 34 } |
| 35 } |
| 36 |
| 37 template <typename T> |
| 38 void GenerateFloatingType(T* value) { |
| 39 *value = RandDouble(); |
| 40 } |
| 41 |
| 42 template <typename T> |
| 43 void GenerateStringType(T* value) { |
| 44 T temp_string; |
| 45 size_t length = RandInRange(300); |
| 46 for (size_t i = 0; i < length; ++i) |
| 47 temp_string += RandInRange(256); |
| 48 *value = temp_string; |
| 49 } |
| 50 |
| 51 void Generator::FuzzBool(bool* value) { |
| 52 *value = RandInRange(2) ? true: false; |
| 53 } |
| 54 |
| 55 void Generator::FuzzInt(int* value) { |
| 56 GenerateIntegralType<int>(value); |
| 57 } |
| 58 |
| 59 void Generator::FuzzLong(long* value) { |
| 60 GenerateIntegralType<long>(value); |
| 61 } |
| 62 |
| 63 void Generator::FuzzSize(size_t* value) { |
| 64 GenerateIntegralType<size_t>(value); |
| 65 } |
| 66 |
| 67 void Generator::FuzzUChar(unsigned char* value) { |
| 68 GenerateIntegralType<unsigned char>(value); |
| 69 } |
| 70 |
| 71 void Generator::FuzzWChar(wchar_t* value) { |
| 72 GenerateIntegralType<wchar_t>(value); |
| 73 } |
| 74 |
| 75 void Generator::FuzzUInt16(uint16* value) { |
| 76 GenerateIntegralType<uint16>(value); |
| 77 } |
| 78 |
| 79 void Generator::FuzzUInt32(uint32* value) { |
| 80 GenerateIntegralType<uint32>(value); |
| 81 } |
| 82 |
| 83 void Generator::FuzzInt64(int64* value) { |
| 84 GenerateIntegralType<int64>(value); |
| 85 } |
| 86 |
| 87 void Generator::FuzzUInt64(uint64* value) { |
| 88 GenerateIntegralType<uint64>(value); |
| 89 } |
| 90 |
| 91 void Generator::FuzzFloat(float* value) { |
| 92 GenerateFloatingType<float>(value); |
| 93 } |
| 94 |
| 95 void Generator::FuzzDouble(double* value) { |
| 96 GenerateFloatingType<double>(value); |
| 97 } |
| 98 |
| 99 void Generator::FuzzString(std::string* value) { |
| 100 GenerateStringType<std::string>(value); |
| 101 } |
| 102 |
| 103 void Generator::FuzzString16(base::string16* value) { |
| 104 GenerateStringType<base::string16>(value); |
| 105 } |
| 106 |
| 107 void Generator::FuzzData(char* data, int length) { |
| 108 for (int i = 0; i < length; ++i) { |
| 109 GenerateIntegralType<char>(&data[i]); |
| 110 } |
| 111 } |
| 112 |
| 113 void Generator::FuzzBytes(void* data, int data_len) { |
| 114 FuzzData(static_cast<char*>(data), data_len); |
| 115 } |
| 116 |
| 117 bool Generator::ShouldGenerate() { |
| 118 // The generator fuzzer should always generate new values. |
| 119 return true; |
| 120 } |
| 121 |
| 122 static const char kCountSwitch[] = "count"; |
| 123 static const char kHelpSwitch[] = "help"; |
| 124 |
| 125 int GenerateMain(int argc, char** argv) { |
| 126 base::CommandLine::Init(argc, argv); |
| 127 base::CommandLine* cmd = base::CommandLine::ForCurrentProcess(); |
| 128 base::CommandLine::StringVector args = cmd->GetArgs(); |
| 129 |
| 130 if (args.size() != 1 || cmd->HasSwitch(kHelpSwitch)) { |
| 131 std::cerr << "Usage: ipc_fuzzer_generate [--help] [--count=n] outfile\n"; |
| 132 return EXIT_FAILURE; |
| 133 } |
| 134 base::FilePath::StringType output_file_name = args[0]; |
| 135 |
| 136 int message_count = 1000; |
| 137 if (cmd->HasSwitch(kCountSwitch)) |
| 138 message_count = atoi(cmd->GetSwitchValueASCII(kCountSwitch).c_str()); |
| 139 |
| 140 InitRand(); |
| 141 |
| 142 PopulateFuzzerFunctionVector(&g_function_vector); |
| 143 std::cerr << "Counted " << g_function_vector.size() |
| 144 << " distinct messages present in chrome.\n"; |
| 145 |
| 146 Fuzzer* fuzzer = new Generator(); |
| 147 MessageVector message_vector; |
| 148 |
| 149 int bad_count = 0; |
| 150 if (message_count < 0) { |
| 151 // Enumerate them all. |
| 152 for (size_t i = 0; i < g_function_vector.size(); ++i) { |
| 153 if (IPC::Message* new_message = (*g_function_vector[i])(NULL, fuzzer)) |
| 154 message_vector.push_back(new_message); |
| 155 else |
| 156 bad_count += 1; |
| 157 } |
| 158 } else { |
| 159 // Fuzz a random batch. |
| 160 for (int i = 0; i < message_count; ++i) { |
| 161 size_t index = RandInRange(g_function_vector.size()); |
| 162 if (IPC::Message* new_message = (*g_function_vector[index])(NULL, fuzzer)) |
| 163 message_vector.push_back(new_message); |
| 164 else |
| 165 bad_count += 1; |
| 166 } |
| 167 } |
| 168 |
| 169 std::cerr << "Failed to generate " << bad_count << " messages.\n"; |
| 170 |
| 171 if (!MessageFile::Write(base::FilePath(output_file_name), message_vector)) |
| 172 return EXIT_FAILURE; |
| 173 |
| 174 return EXIT_SUCCESS; |
| 175 } |
| 176 |
| 177 } // namespace ipc_fuzzer |
| 178 |
| 179 int main(int argc, char** argv) { |
| 180 return ipc_fuzzer::GenerateMain(argc, argv); |
| 181 } |
| OLD | NEW |