| Index: tools/ipc_fuzzer/mutate/mutator.cc
|
| diff --git a/tools/ipc_fuzzer/mutate/mutator.cc b/tools/ipc_fuzzer/mutate/mutator.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..57514dd78f588bdb52453a806f574269837ee71d
|
| --- /dev/null
|
| +++ b/tools/ipc_fuzzer/mutate/mutator.cc
|
| @@ -0,0 +1,276 @@
|
| +// Copyright 2015 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include <iostream>
|
| +#include <set>
|
| +#include <string>
|
| +#include <vector>
|
| +
|
| +#include "base/basictypes.h"
|
| +#include "base/command_line.h"
|
| +#include "base/strings/string_split.h"
|
| +#include "base/strings/string_util.h"
|
| +#include "base/strings/utf_string_conversions.h"
|
| +#include "ipc/ipc_message.h"
|
| +#include "ipc/ipc_message_macros.h"
|
| +#include "tools/ipc_fuzzer/mutate/mutator.h"
|
| +#include "tools/ipc_fuzzer/mutate/rand_util.h"
|
| +
|
| +namespace ipc_fuzzer {
|
| +
|
| +template <typename T>
|
| +void FuzzIntegralType(T* value, unsigned int frequency) {
|
| + if (RandEvent(frequency)) {
|
| + switch (RandInRange(4)) {
|
| + case 0: (*value) = 0; break;
|
| + case 1: (*value)--; break;
|
| + case 2: (*value)++; break;
|
| + case 3: (*value) = RandU64(); break;
|
| + }
|
| + }
|
| +}
|
| +
|
| +template <typename T>
|
| +void FuzzStringType(T* value, unsigned int frequency,
|
| + const T& literal1, const T& literal2) {
|
| + if (RandEvent(frequency)) {
|
| + switch (RandInRange(5)) {
|
| + case 4: (*value) = (*value) + (*value); // FALLTHROUGH
|
| + case 3: (*value) = (*value) + (*value); // FALLTHROUGH
|
| + case 2: (*value) = (*value) + (*value); break;
|
| + case 1: (*value) += literal1; break;
|
| + case 0: (*value) = literal2; break;
|
| + }
|
| + }
|
| +}
|
| +
|
| +void Mutator::FuzzBool(bool* value) {
|
| + if (RandEvent(frequency_))
|
| + (*value) = !(*value);
|
| +}
|
| +
|
| +void Mutator::FuzzInt(int* value) {
|
| + FuzzIntegralType<int>(value, frequency_);
|
| +}
|
| +
|
| +void Mutator::FuzzLong(long* value) {
|
| + FuzzIntegralType<long>(value, frequency_);
|
| +}
|
| +
|
| +void Mutator::FuzzSize(size_t* value) {
|
| + FuzzIntegralType<size_t>(value, frequency_);
|
| +}
|
| +
|
| +void Mutator::FuzzUChar(unsigned char* value) {
|
| + FuzzIntegralType<unsigned char>(value, frequency_);
|
| +}
|
| +
|
| +void Mutator::FuzzWChar(wchar_t* value) {
|
| + FuzzIntegralType<wchar_t>(value, frequency_);
|
| +}
|
| +
|
| +void Mutator::FuzzUInt16(uint16* value) {
|
| + FuzzIntegralType<uint16>(value, frequency_);
|
| +}
|
| +
|
| +void Mutator::FuzzUInt32(uint32* value) {
|
| + FuzzIntegralType<uint32>(value, frequency_);
|
| +}
|
| +
|
| +void Mutator::FuzzInt64(int64* value) {
|
| + FuzzIntegralType<int64>(value, frequency_);
|
| +}
|
| +
|
| +void Mutator::FuzzUInt64(uint64* value) {
|
| + FuzzIntegralType<uint64>(value, frequency_);
|
| +}
|
| +
|
| +void Mutator::FuzzFloat(float* value) {
|
| + if (RandEvent(frequency_))
|
| + *value = RandDouble();
|
| +}
|
| +
|
| +void Mutator::FuzzDouble(double* value) {
|
| + if (RandEvent(frequency_))
|
| + *value = RandDouble();
|
| +}
|
| +
|
| +void Mutator:: FuzzString(std::string* value) {
|
| + FuzzStringType<std::string>(value, frequency_, "BORKED", std::string());
|
| +}
|
| +
|
| +void Mutator::FuzzString16(base::string16* value) {
|
| + FuzzStringType<base::string16>(value, frequency_,
|
| + base::WideToUTF16(L"BORKED"),
|
| + base::WideToUTF16(L""));
|
| +}
|
| +
|
| +void Mutator::FuzzData(char* data, int length) {
|
| + if (RandEvent(frequency_)) {
|
| + for (int i = 0; i < length; ++i) {
|
| + FuzzIntegralType<char>(&data[i], frequency_);
|
| + }
|
| + }
|
| +}
|
| +
|
| +void Mutator::FuzzBytes(void* data, int data_len) {
|
| + FuzzData(static_cast<char*>(data), data_len);
|
| +}
|
| +
|
| +bool Mutator::ShouldGenerate() {
|
| + // TODO(mbarbella): With a low probability, allow something to be fully
|
| + // rewritten while mutating instead of always changing the existing value.
|
| + return false;
|
| +}
|
| +
|
| +class FuzzerFactory {
|
| + public:
|
| + static Fuzzer *Create(const std::string& name, int frequency) {
|
| + if (name == "no-op")
|
| + return new NoOpFuzzer();
|
| +
|
| + if (name == "default")
|
| + return new Mutator(frequency);
|
| +
|
| + std::cerr << "No such fuzzer: " << name << "\n";
|
| + return 0;
|
| + }
|
| +};
|
| +
|
| +static IPC::Message* RewriteMessage(
|
| + IPC::Message* message,
|
| + Fuzzer* fuzzer,
|
| + FuzzerFunctionMap* map) {
|
| + FuzzerFunctionMap::iterator it = map->find(message->type());
|
| + if (it == map->end()) {
|
| + // This usually indicates a missing message file in all_messages.h, or
|
| + // that the message dump file is taken from a different revision of
|
| + // chromium from this executable.
|
| + std::cerr << "Unknown message type: ["
|
| + << IPC_MESSAGE_ID_CLASS(message->type()) << ", "
|
| + << IPC_MESSAGE_ID_LINE(message->type()) << "].\n";
|
| + return 0;
|
| + }
|
| +
|
| + return (*it->second)(message, fuzzer);
|
| +}
|
| +
|
| +namespace {
|
| +
|
| +static const char kHelpSwitch[] = "help";
|
| +const char kHelpSwitchHelp[] =
|
| + "show this message";
|
| +
|
| +const char kFrequencySwitch[] = "frequency";
|
| +const char kFrequencySwitchHelp[] =
|
| + "probability of mutation; tweak every 1/|q| times.";
|
| +
|
| +const char kFuzzerNameSwitch[] = "fuzzer-name";
|
| +const char kFuzzerNameSwitchHelp[] =
|
| + "select default or no-op fuzzer.";
|
| +
|
| +const char kPermuteSwitch[] = "permute";
|
| +const char kPermuteSwitchHelp[] =
|
| + "Randomly shuffle the order of all messages.";
|
| +
|
| +const char kTypeListSwitch[] = "type-list";
|
| +const char kTypeListSwitchHelp[] =
|
| + "explicit list of the only message-ids to mutate.";
|
| +
|
| +void usage() {
|
| + std::cerr << "Mutate messages from an exiting message file.\n";
|
| +
|
| + std::cerr << "Usage:\n"
|
| + << " ipc_fuzzer_mutate"
|
| + << " [--" << kHelpSwitch << "]"
|
| + << " [--" << kFuzzerNameSwitch << "=f]"
|
| + << " [--" << kFrequencySwitch << "=q]"
|
| + << " [--" << kTypeListSwitch << "=x,y,z...]"
|
| + << " [--" << kPermuteSwitch << "]"
|
| + << " infile outfile\n";
|
| +
|
| + std::cerr
|
| + << " --" << kHelpSwitch << " - " << kHelpSwitchHelp << "\n"
|
| + << " --" << kFuzzerNameSwitch << " - " << kFuzzerNameSwitchHelp << "\n"
|
| + << " --" << kFrequencySwitch << " - " << kFrequencySwitchHelp << "\n"
|
| + << " --" << kTypeListSwitch << " - " << kTypeListSwitchHelp << "\n"
|
| + << " --" << kPermuteSwitch << " - " << kPermuteSwitchHelp << "\n";
|
| +}
|
| +
|
| +} // namespace
|
| +
|
| +int MutateMain(int argc, char** argv) {
|
| + base::CommandLine::Init(argc, argv);
|
| + base::CommandLine* cmd = base::CommandLine::ForCurrentProcess();
|
| + base::CommandLine::StringVector args = cmd->GetArgs();
|
| +
|
| + if (args.size() != 2 || cmd->HasSwitch(kHelpSwitch)) {
|
| + usage();
|
| + return EXIT_FAILURE;
|
| + }
|
| +
|
| + base::FilePath::StringType input_file_name = args[0];
|
| + base::FilePath::StringType output_file_name = args[1];
|
| +
|
| + bool permute = cmd->HasSwitch(kPermuteSwitch);
|
| +
|
| + std::string fuzzer_name = "default";
|
| + if (cmd->HasSwitch(kFuzzerNameSwitch))
|
| + fuzzer_name = cmd->GetSwitchValueASCII(kFuzzerNameSwitch);
|
| +
|
| + int frequency = 23;
|
| + if (cmd->HasSwitch(kFrequencySwitch))
|
| + frequency = atoi(cmd->GetSwitchValueASCII(kFrequencySwitch).c_str());
|
| +
|
| + std::string type_string_list = cmd->GetSwitchValueASCII(kTypeListSwitch);
|
| + std::vector<std::string> type_string_vector;
|
| + base::SplitString(type_string_list, ',', &type_string_vector);
|
| + std::set<uint32> type_set;
|
| + for (size_t i = 0; i < type_string_vector.size(); ++i) {
|
| + type_set.insert(atoi(type_string_vector[i].c_str()));
|
| + }
|
| +
|
| + InitRand();
|
| +
|
| + Fuzzer* fuzzer = FuzzerFactory::Create(fuzzer_name, frequency);
|
| + if (!fuzzer)
|
| + return EXIT_FAILURE;
|
| +
|
| + FuzzerFunctionMap fuzz_function_map;
|
| + PopulateFuzzerFunctionMap(&fuzz_function_map);
|
| + PopulateFuzzerFunctionVector(&g_function_vector);
|
| +
|
| + MessageVector message_vector;
|
| + if (!MessageFile::Read(base::FilePath(input_file_name), &message_vector))
|
| + return EXIT_FAILURE;
|
| +
|
| + for (size_t i = 0; i < message_vector.size(); ++i) {
|
| + IPC::Message* msg = message_vector[i];
|
| + if (!type_set.empty() && type_set.end() == std::find(
|
| + type_set.begin(), type_set.end(), msg->type())) {
|
| + continue;
|
| + }
|
| + IPC::Message* new_message = RewriteMessage(msg, fuzzer, &fuzz_function_map);
|
| + if (new_message) {
|
| + delete message_vector[i];
|
| + message_vector[i] = new_message;
|
| + }
|
| + }
|
| +
|
| + if (permute) {
|
| + std::random_shuffle(message_vector.begin(), message_vector.end(),
|
| + RandInRange);
|
| + }
|
| +
|
| + if (!MessageFile::Write(base::FilePath(output_file_name), message_vector))
|
| + return EXIT_FAILURE;
|
| +
|
| + return EXIT_SUCCESS;
|
| +}
|
| +
|
| +} // namespace ipc_fuzzer
|
| +
|
| +int main(int argc, char** argv) {
|
| + return ipc_fuzzer::MutateMain(argc, argv);
|
| +}
|
|
|
Chromium Code Reviews
Issue 1000373004:
Combine traits for IPC mutation and generation fuzzing plus other refactoring. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master