Combine traits for IPC mutation and generation fuzzing plus other refactoring.

tools/ipc_fuzzer/mutate/mutator.cc

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <iostream>
+#include <set>
+#include <string>
+#include <vector>
+
+#include "base/basictypes.h"
+#include "base/command_line.h"
+#include "base/strings/string_split.h"
+#include "base/strings/string_util.h"
+#include "base/strings/utf_string_conversions.h"
+#include "ipc/ipc_message.h"
+#include "ipc/ipc_message_macros.h"
+#include "tools/ipc_fuzzer/mutate/mutator.h"
+#include "tools/ipc_fuzzer/mutate/rand_util.h"
+
+namespace ipc_fuzzer {
+
+template <typename T>
+void FuzzIntegralType(T* value, unsigned int frequency) {
+  if (RandEvent(frequency)) {
+    switch (RandInRange(4)) {
+      case 0: (*value) = 0; break;
+      case 1: (*value)--; break;
+      case 2: (*value)++; break;
+      case 3: (*value) = RandU64(); break;
+    }
+  }
+}
+
+template <typename T>
+void FuzzStringType(T* value, unsigned int frequency,
+                    const T& literal1, const T& literal2) {
+  if (RandEvent(frequency)) {
+    switch (RandInRange(5)) {
+      case 4: (*value) = (*value) + (*value);   // FALLTHROUGH
+      case 3: (*value) = (*value) + (*value);   // FALLTHROUGH
+      case 2: (*value) = (*value) + (*value); break;
+      case 1: (*value) += literal1; break;
+      case 0: (*value) = literal2; break;
+    }
+  }
+}
+
+void Mutator::FuzzBool(bool* value) {
+  if (RandEvent(frequency_))
+    (*value) = !(*value);
+}
+
+void Mutator::FuzzInt(int* value) {
+  FuzzIntegralType<int>(value, frequency_);
+}
+
+void Mutator::FuzzLong(long* value) {
+  FuzzIntegralType<long>(value, frequency_);
+}
+
+void Mutator::FuzzSize(size_t* value) {
+  FuzzIntegralType<size_t>(value, frequency_);
+}
+
+void Mutator::FuzzUChar(unsigned char* value) {
+  FuzzIntegralType<unsigned char>(value, frequency_);
+}
+
+void Mutator::FuzzWChar(wchar_t* value) {
+  FuzzIntegralType<wchar_t>(value, frequency_);
+}
+
+void Mutator::FuzzUInt16(uint16* value) {
+  FuzzIntegralType<uint16>(value, frequency_);
+}
+
+void Mutator::FuzzUInt32(uint32* value) {
+  FuzzIntegralType<uint32>(value, frequency_);
+}
+
+void Mutator::FuzzInt64(int64* value) {
+  FuzzIntegralType<int64>(value, frequency_);
+}
+
+void Mutator::FuzzUInt64(uint64* value) {
+  FuzzIntegralType<uint64>(value, frequency_);
+}
+
+void Mutator::FuzzFloat(float* value) {
+  if (RandEvent(frequency_))
+    *value = RandDouble();
+}
+
+void Mutator::FuzzDouble(double* value) {
+  if (RandEvent(frequency_))
+    *value = RandDouble();
+}
+
+void Mutator:: FuzzString(std::string* value) {
+  FuzzStringType<std::string>(value, frequency_, "BORKED", std::string());
+}
+
+void Mutator::FuzzString16(base::string16* value) {
+  FuzzStringType<base::string16>(value, frequency_,
+                                 base::WideToUTF16(L"BORKED"),
+                                 base::WideToUTF16(L""));
+}
+
+void Mutator::FuzzData(char* data, int length) {
+  if (RandEvent(frequency_)) {
+    for (int i = 0; i < length; ++i) {
+      FuzzIntegralType<char>(&data[i], frequency_);
+    }
+  }
+}
+
+void Mutator::FuzzBytes(void* data, int data_len) {
+  FuzzData(static_cast<char*>(data), data_len);
+}
+
+bool Mutator::ShouldGenerate() {
+  // TODO(mbarbella): With a low probability, allow something to be fully
+  // rewritten while mutating instead of always changing the existing value.
+  return false;
+}
+
+class FuzzerFactory {
+ public:
+  static Fuzzer *Create(const std::string& name, int frequency) {
+    if (name == "no-op")
+      return new NoOpFuzzer();
+
+    if (name == "default")
+      return new Mutator(frequency);
+
+    std::cerr << "No such fuzzer: " << name << "\n";
+    return 0;
+  }
+};
+
+static IPC::Message* RewriteMessage(
+    IPC::Message* message,
+    Fuzzer* fuzzer,
+    FuzzerFunctionMap* map) {
+  FuzzerFunctionMap::iterator it = map->find(message->type());
+  if (it == map->end()) {
+    // This usually indicates a missing message file in all_messages.h, or
+    // that the message dump file is taken from a different revision of
+    // chromium from this executable.
+    std::cerr << "Unknown message type: ["
+              << IPC_MESSAGE_ID_CLASS(message->type()) << ", "
+              << IPC_MESSAGE_ID_LINE(message->type()) << "].\n";
+    return 0;
+  }
+
+  return (*it->second)(message, fuzzer);
+}
+
+namespace {
+
+static const char kHelpSwitch[] = "help";
+const char kHelpSwitchHelp[] =
+    "show this message";
+
+const char kFrequencySwitch[] = "frequency";
+const char kFrequencySwitchHelp[] =
+    "probability of mutation; tweak every 1/|q| times.";
+
+const char kFuzzerNameSwitch[] = "fuzzer-name";
+const char kFuzzerNameSwitchHelp[] =
+    "select default or no-op fuzzer.";
+
+const char kPermuteSwitch[] = "permute";
+const char kPermuteSwitchHelp[] =
+    "Randomly shuffle the order of all messages.";
+
+const char kTypeListSwitch[] = "type-list";
+const char kTypeListSwitchHelp[] =
+    "explicit list of the only message-ids to mutate.";
+
+void usage() {
+  std::cerr << "Mutate messages from an exiting message file.\n";
+
+  std::cerr << "Usage:\n"
+            << "  ipc_fuzzer_mutate"
+            << " [--" << kHelpSwitch << "]"
+            << " [--" << kFuzzerNameSwitch << "=f]"
+            << " [--" << kFrequencySwitch << "=q]"
+            << " [--" << kTypeListSwitch << "=x,y,z...]"
+            << " [--" << kPermuteSwitch << "]"
+            << " infile outfile\n";
+
+  std::cerr
+      << " --" << kHelpSwitch << "         - " << kHelpSwitchHelp << "\n"
+      << " --" << kFuzzerNameSwitch <<  "  - " << kFuzzerNameSwitchHelp << "\n"
+      << " --" << kFrequencySwitch << "    - " << kFrequencySwitchHelp << "\n"
+      << " --" << kTypeListSwitch <<  "    - " << kTypeListSwitchHelp << "\n"
+      << " --" << kPermuteSwitch << "      - " << kPermuteSwitchHelp << "\n";
+}
+
+}  // namespace
+
+int MutateMain(int argc, char** argv) {
+  base::CommandLine::Init(argc, argv);
+  base::CommandLine* cmd = base::CommandLine::ForCurrentProcess();
+  base::CommandLine::StringVector args = cmd->GetArgs();
+
+  if (args.size() != 2 || cmd->HasSwitch(kHelpSwitch)) {
+    usage();
+    return EXIT_FAILURE;
+  }
+
+  base::FilePath::StringType input_file_name = args[0];
+  base::FilePath::StringType output_file_name = args[1];
+
+  bool permute = cmd->HasSwitch(kPermuteSwitch);
+
+  std::string fuzzer_name = "default";
+  if (cmd->HasSwitch(kFuzzerNameSwitch))
+    fuzzer_name = cmd->GetSwitchValueASCII(kFuzzerNameSwitch);
+
+  int frequency = 23;

[inferno, 2015/03/16 18:56:35]

this 23 should a global. why 23 ? 20 as a percent looks good.

[Martin Barbella, 2015/03/16 19:19:55]

This is almost an exact copy of the old MutateMain, so not sure why the number
was chosen. Same for other comments. I think we need some cleanup here, but I'd
rather handle this kind of change (along with other tweaks to how we handle
frequencies) in another CL.

+  if (cmd->HasSwitch(kFrequencySwitch))
+    frequency = atoi(cmd->GetSwitchValueASCII(kFrequencySwitch).c_str());
+
+  std::string type_string_list = cmd->GetSwitchValueASCII(kTypeListSwitch);
+  std::vector<std::string> type_string_vector;
+  base::SplitString(type_string_list, ',', &type_string_vector);
+  std::set<uint32> type_set;
+  for (size_t i = 0; i < type_string_vector.size(); ++i) {
+    type_set.insert(atoi(type_string_vector[i].c_str()));
+  }
+
+  InitRand();
+
+  Fuzzer* fuzzer = FuzzerFactory::Create(fuzzer_name, frequency);
+  if (!fuzzer)
+    return EXIT_FAILURE;
+
+  FuzzerFunctionMap fuzz_function_map;
+  PopulateFuzzerFunctionMap(&fuzz_function_map);
+  PopulateFuzzerFunctionVector(&g_function_vector);
+
+  MessageVector message_vector;
+  if (!MessageFile::Read(base::FilePath(input_file_name), &message_vector))
+    return EXIT_FAILURE;
+
+  for (size_t i = 0; i < message_vector.size(); ++i) {
+    IPC::Message* msg = message_vector[i];
+    if (!type_set.empty() && type_set.end() == std::find(

[inferno, 2015/03/16 18:56:35]

Add a comment.

[Martin Barbella, 2015/03/16 19:19:55]

Since I changed the macros, that's a good idea for this CL.

+            type_set.begin(), type_set.end(), msg->type())) {
+      continue;
+    }
+    IPC::Message* new_message = RewriteMessage(msg, fuzzer, &fuzz_function_map);
+    if (new_message) {
+      delete message_vector[i];

[inferno, 2015/03/16 18:56:35]

Wont this shift the vector, you might wanna assign to a local then subsitute and
then delete local.

[Martin Barbella, 2015/03/16 19:19:55]

Good point. This is a copy, but I think it's worth addressing it now.

+      message_vector[i] = new_message;
+    }
+  }
+
+  if (permute) {
+    std::random_shuffle(message_vector.begin(), message_vector.end(),
+                        RandInRange);
+  }
+
+  if (!MessageFile::Write(base::FilePath(output_file_name), message_vector))
+    return EXIT_FAILURE;
+
+  return EXIT_SUCCESS;
+}
+
+}  // namespace ipc_fuzzer
+
+int main(int argc, char** argv) {
+  return ipc_fuzzer::MutateMain(argc, argv);
+}