| Index: tools/ipc_fuzzer/mutate/generator.cc
|
| diff --git a/tools/ipc_fuzzer/mutate/generator.cc b/tools/ipc_fuzzer/mutate/generator.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..25e0e48c17067b00c2911afaa52fdbe8f62e8014
|
| --- /dev/null
|
| +++ b/tools/ipc_fuzzer/mutate/generator.cc
|
| @@ -0,0 +1,181 @@
|
| +// Copyright 2015 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include <iostream>
|
| +#include <string>
|
| +
|
| +#include "base/basictypes.h"
|
| +#include "base/command_line.h"
|
| +#include "base/strings/string_util.h"
|
| +#include "tools/ipc_fuzzer/mutate/generator.h"
|
| +#include "tools/ipc_fuzzer/mutate/rand_util.h"
|
| +
|
| +namespace ipc_fuzzer {
|
| +
|
| +template <typename T>
|
| +void GenerateIntegralType(T* value) {
|
| + switch (RandInRange(16)) {
|
| + case 0:
|
| + *value = static_cast<T>(0);
|
| + break;
|
| + case 1:
|
| + *value = static_cast<T>(1);
|
| + break;
|
| + case 2:
|
| + *value = static_cast<T>(-1);
|
| + break;
|
| + case 3:
|
| + *value = static_cast<T>(2);
|
| + break;
|
| + default:
|
| + *value = static_cast<T>(RandU64());
|
| + break;
|
| + }
|
| +}
|
| +
|
| +template <typename T>
|
| +void GenerateFloatingType(T* value) {
|
| + *value = RandDouble();
|
| +}
|
| +
|
| +template <typename T>
|
| +void GenerateStringType(T* value) {
|
| + T temp_string;
|
| + size_t length = RandInRange(300);
|
| + for (size_t i = 0; i < length; ++i)
|
| + temp_string += RandInRange(256);
|
| + *value = temp_string;
|
| +}
|
| +
|
| +void Generator::FuzzBool(bool* value) {
|
| + *value = RandInRange(2) ? true: false;
|
| +}
|
| +
|
| +void Generator::FuzzInt(int* value) {
|
| + GenerateIntegralType<int>(value);
|
| +}
|
| +
|
| +void Generator::FuzzLong(long* value) {
|
| + GenerateIntegralType<long>(value);
|
| +}
|
| +
|
| +void Generator::FuzzSize(size_t* value) {
|
| + GenerateIntegralType<size_t>(value);
|
| +}
|
| +
|
| +void Generator::FuzzUChar(unsigned char* value) {
|
| + GenerateIntegralType<unsigned char>(value);
|
| +}
|
| +
|
| +void Generator::FuzzWChar(wchar_t* value) {
|
| + GenerateIntegralType<wchar_t>(value);
|
| +}
|
| +
|
| +void Generator::FuzzUInt16(uint16* value) {
|
| + GenerateIntegralType<uint16>(value);
|
| +}
|
| +
|
| +void Generator::FuzzUInt32(uint32* value) {
|
| + GenerateIntegralType<uint32>(value);
|
| +}
|
| +
|
| +void Generator::FuzzInt64(int64* value) {
|
| + GenerateIntegralType<int64>(value);
|
| +}
|
| +
|
| +void Generator::FuzzUInt64(uint64* value) {
|
| + GenerateIntegralType<uint64>(value);
|
| +}
|
| +
|
| +void Generator::FuzzFloat(float* value) {
|
| + GenerateFloatingType<float>(value);
|
| +}
|
| +
|
| +void Generator::FuzzDouble(double* value) {
|
| + GenerateFloatingType<double>(value);
|
| +}
|
| +
|
| +void Generator::FuzzString(std::string* value) {
|
| + GenerateStringType<std::string>(value);
|
| +}
|
| +
|
| +void Generator::FuzzString16(base::string16* value) {
|
| + GenerateStringType<base::string16>(value);
|
| +}
|
| +
|
| +void Generator::FuzzData(char* data, int length) {
|
| + for (int i = 0; i < length; ++i) {
|
| + GenerateIntegralType<char>(&data[i]);
|
| + }
|
| +}
|
| +
|
| +void Generator::FuzzBytes(void* data, int data_len) {
|
| + FuzzData(static_cast<char*>(data), data_len);
|
| +}
|
| +
|
| +bool Generator::ShouldGenerate() {
|
| + // The generator fuzzer should always generate new values.
|
| + return true;
|
| +}
|
| +
|
| +static const char kCountSwitch[] = "count";
|
| +static const char kHelpSwitch[] = "help";
|
| +
|
| +int GenerateMain(int argc, char** argv) {
|
| + base::CommandLine::Init(argc, argv);
|
| + base::CommandLine* cmd = base::CommandLine::ForCurrentProcess();
|
| + base::CommandLine::StringVector args = cmd->GetArgs();
|
| +
|
| + if (args.size() != 1 || cmd->HasSwitch(kHelpSwitch)) {
|
| + std::cerr << "Usage: ipc_fuzzer_generate [--help] [--count=n] outfile\n";
|
| + return EXIT_FAILURE;
|
| + }
|
| + base::FilePath::StringType output_file_name = args[0];
|
| +
|
| + int message_count = 1000;
|
| + if (cmd->HasSwitch(kCountSwitch))
|
| + message_count = atoi(cmd->GetSwitchValueASCII(kCountSwitch).c_str());
|
| +
|
| + InitRand();
|
| +
|
| + PopulateFuzzerFunctionVector(&g_function_vector);
|
| + std::cerr << "Counted " << g_function_vector.size()
|
| + << " distinct messages present in chrome.\n";
|
| +
|
| + Fuzzer* fuzzer = new Generator();
|
| + MessageVector message_vector;
|
| +
|
| + int bad_count = 0;
|
| + if (message_count < 0) {
|
| + // Enumerate them all.
|
| + for (size_t i = 0; i < g_function_vector.size(); ++i) {
|
| + if (IPC::Message* new_message = (*g_function_vector[i])(NULL, fuzzer))
|
| + message_vector.push_back(new_message);
|
| + else
|
| + bad_count += 1;
|
| + }
|
| + } else {
|
| + // Fuzz a random batch.
|
| + for (int i = 0; i < message_count; ++i) {
|
| + size_t index = RandInRange(g_function_vector.size());
|
| + if (IPC::Message* new_message = (*g_function_vector[index])(NULL, fuzzer))
|
| + message_vector.push_back(new_message);
|
| + else
|
| + bad_count += 1;
|
| + }
|
| + }
|
| +
|
| + std::cerr << "Failed to generate " << bad_count << " messages.\n";
|
| +
|
| + if (!MessageFile::Write(base::FilePath(output_file_name), message_vector))
|
| + return EXIT_FAILURE;
|
| +
|
| + return EXIT_SUCCESS;
|
| +}
|
| +
|
| +} // namespace ipc_fuzzer
|
| +
|
| +int main(int argc, char** argv) {
|
| + return ipc_fuzzer::GenerateMain(argc, argv);
|
| +}
|
|
|
Chromium Code Reviews
Issue 1000373004:
Combine traits for IPC mutation and generation fuzzing plus other refactoring. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master