| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include <iostream> | |
| 6 #include <set> | |
| 7 #include <vector> | |
| 8 | |
| 9 #include "base/command_line.h" | |
| 10 #include "base/strings/string_split.h" | |
| 11 #include "ipc/ipc_message_macros.h" | |
| 12 #include "tools/ipc_fuzzer/message_lib/message_file.h" | |
| 13 #include "tools/ipc_fuzzer/mutate/fuzzer.h" | |
| 14 #include "tools/ipc_fuzzer/mutate/generator.h" | |
| 15 #include "tools/ipc_fuzzer/mutate/mutator.h" | |
| 16 #include "tools/ipc_fuzzer/mutate/rand_util.h" | |
| 17 | |
| 18 namespace ipc_fuzzer { | |
| 19 | |
| 20 namespace { | |
| 21 | |
| 22 // TODO(mbarbella): Check to see if this value is actually reasonable. | |
| 23 const int kFrequency = 23; | |
| 24 | |
| 25 const char kCountSwitch[] = "count"; | |
| 26 const char kCountSwitchHelp[] = | |
| 27 "Number of messages to generate (generator)."; | |
| 28 | |
| 29 const char kFrequencySwitch[] = "frequency"; | |
| 30 const char kFrequencySwitchHelp[] = | |
| 31 "Probability of mutation; tweak every 1/|q| times (mutator)."; | |
| 32 | |
| 33 const char kFuzzerNameSwitch[] = "fuzzer-name"; | |
| 34 const char kFuzzerNameSwitchHelp[] = | |
| 35 "Select generator, mutator, or no-op fuzzer. Default: generator"; | |
| 36 | |
| 37 const char kHelpSwitch[] = "help"; | |
| 38 const char kHelpSwitchHelp[] = | |
| 39 "Show this message."; | |
| 40 | |
| 41 const char kPermuteSwitch[] = "permute"; | |
| 42 const char kPermuteSwitchHelp[] = | |
| 43 "Randomly shuffle the order of all messages (mutator)."; | |
| 44 | |
| 45 const char kTypeListSwitch[] = "type-list"; | |
| 46 const char kTypeListSwitchHelp[] = | |
| 47 "Explicit list of the only message-ids to mutate (mutator)."; | |
| 48 | |
| 49 void usage() { | |
| 50 std::cerr << "Mutate messages from an exiting message file.\n"; | |
| 51 | |
| 52 std::cerr << "Usage:\n" | |
| 53 << " ipc_fuzzer" | |
| 54 << " [--" << kCountSwitch << "=c]" | |
| 55 << " [--" << kFrequencySwitch << "=q]" | |
| 56 << " [--" << kFuzzerNameSwitch << "=f]" | |
| 57 << " [--" << kHelpSwitch << "]" | |
| 58 << " [--" << kTypeListSwitch << "=x,y,z...]" | |
| 59 << " [--" << kPermuteSwitch << "]" | |
| 60 << " [infile (mutation only)] outfile\n"; | |
| 61 | |
| 62 std::cerr | |
| 63 << " --" << kCountSwitch << " - " << kCountSwitchHelp << "\n" | |
| 64 << " --" << kFrequencySwitch << " - " << kFrequencySwitchHelp << "\n" | |
| 65 << " --" << kFuzzerNameSwitch << " - " << kFuzzerNameSwitchHelp << "\n" | |
| 66 << " --" << kHelpSwitch << " - " << kHelpSwitchHelp << "\n" | |
| 67 << " --" << kTypeListSwitch << " - " << kTypeListSwitchHelp << "\n" | |
| 68 << " --" << kPermuteSwitch << " - " << kPermuteSwitchHelp << "\n"; | |
| 69 } | |
| 70 | |
| 71 } // namespace | |
| 72 | |
| 73 class FuzzerFactory { | |
| 74 public: | |
| 75 static Fuzzer *Create(const std::string& name, int frequency) { | |
| 76 if (name == "default") | |
| 77 return new Generator(); | |
| 78 | |
| 79 if (name == "generate") | |
| 80 return new Generator(); | |
| 81 | |
| 82 if (name == "mutate") | |
| 83 return new Mutator(frequency); | |
| 84 | |
| 85 if (name == "no-op") | |
| 86 return new NoOpFuzzer(); | |
| 87 | |
| 88 std::cerr << "No such fuzzer: " << name << "\n"; | |
| 89 return 0; | |
| 90 } | |
| 91 }; | |
| 92 | |
| 93 static IPC::Message* RewriteMessage( | |
| 94 IPC::Message* message, | |
| 95 Fuzzer* fuzzer, | |
| 96 FuzzerFunctionMap* map) { | |
| 97 FuzzerFunctionMap::iterator it = map->find(message->type()); | |
| 98 if (it == map->end()) { | |
| 99 // This usually indicates a missing message file in all_messages.h, or | |
| 100 // that the message dump file is taken from a different revision of | |
| 101 // chromium from this executable. | |
| 102 std::cerr << "Unknown message type: [" | |
| 103 << IPC_MESSAGE_ID_CLASS(message->type()) << ", " | |
| 104 << IPC_MESSAGE_ID_LINE(message->type()) << "].\n"; | |
| 105 return 0; | |
| 106 } | |
| 107 | |
| 108 return (*it->second)(message, fuzzer); | |
| 109 } | |
| 110 | |
| 111 int Generate(base::CommandLine* cmd, Fuzzer* fuzzer) { | |
| 112 base::CommandLine::StringVector args = cmd->GetArgs(); | |
| 113 if (args.size() != 1) { | |
| 114 usage(); | |
| 115 return EXIT_FAILURE; | |
| 116 } | |
| 117 base::FilePath::StringType output_file_name = args[0]; | |
| 118 | |
| 119 int message_count = 1000; | |
| 120 if (cmd->HasSwitch(kCountSwitch)) | |
| 121 message_count = atoi(cmd->GetSwitchValueASCII(kCountSwitch).c_str()); | |
| 122 | |
| 123 MessageVector message_vector; | |
| 124 int bad_count = 0; | |
| 125 if (message_count < 0) { | |
| 126 // Enumerate them all. | |
| 127 for (size_t i = 0; i < g_function_vector.size(); ++i) { | |
| 128 if (IPC::Message* new_message = (*g_function_vector[i])(NULL, fuzzer)) | |
| 129 message_vector.push_back(new_message); | |
| 130 else | |
| 131 bad_count += 1; | |
| 132 } | |
| 133 } else { | |
| 134 // Fuzz a random batch. | |
| 135 for (int i = 0; i < message_count; ++i) { | |
| 136 size_t index = RandInRange(g_function_vector.size()); | |
| 137 if (IPC::Message* new_message = (*g_function_vector[index])(NULL, fuzzer)) | |
| 138 message_vector.push_back(new_message); | |
| 139 else | |
| 140 bad_count += 1; | |
| 141 } | |
| 142 } | |
| 143 | |
| 144 std::cerr << "Failed to generate " << bad_count << " messages.\n"; | |
| 145 if (!MessageFile::Write(base::FilePath(output_file_name), message_vector)) | |
| 146 return EXIT_FAILURE; | |
| 147 return EXIT_SUCCESS; | |
| 148 } | |
| 149 | |
| 150 int Mutate(base::CommandLine* cmd, Fuzzer* fuzzer) { | |
| 151 base::CommandLine::StringVector args = cmd->GetArgs(); | |
| 152 if (args.size() != 2) { | |
| 153 usage(); | |
| 154 return EXIT_FAILURE; | |
| 155 } | |
| 156 base::FilePath::StringType input_file_name = args[0]; | |
| 157 base::FilePath::StringType output_file_name = args[1]; | |
| 158 | |
| 159 bool permute = cmd->HasSwitch(kPermuteSwitch); | |
| 160 | |
| 161 std::string type_string_list = cmd->GetSwitchValueASCII(kTypeListSwitch); | |
| 162 std::vector<std::string> type_string_vector; | |
| 163 base::SplitString(type_string_list, ',', &type_string_vector); | |
| 164 std::set<uint32> type_set; | |
| 165 for (size_t i = 0; i < type_string_vector.size(); ++i) { | |
| 166 type_set.insert(atoi(type_string_vector[i].c_str())); | |
| 167 } | |
| 168 | |
| 169 FuzzerFunctionMap fuzz_function_map; | |
| 170 PopulateFuzzerFunctionMap(&fuzz_function_map); | |
| 171 | |
| 172 MessageVector message_vector; | |
| 173 if (!MessageFile::Read(base::FilePath(input_file_name), &message_vector)) | |
| 174 return EXIT_FAILURE; | |
| 175 | |
| 176 for (size_t i = 0; i < message_vector.size(); ++i) { | |
| 177 IPC::Message* msg = message_vector[i]; | |
| 178 // If an explicit type set is specified, make sure we should be mutating | |
| 179 // this message type on this run. | |
| 180 if (!type_set.empty() && type_set.end() == std::find( | |
| 181 type_set.begin(), type_set.end(), msg->type())) { | |
| 182 continue; | |
| 183 } | |
| 184 IPC::Message* new_message = RewriteMessage(msg, fuzzer, &fuzz_function_map); | |
| 185 if (new_message) { | |
| 186 IPC::Message* old_message = message_vector[i]; | |
| 187 delete old_message; | |
| 188 message_vector[i] = new_message; | |
| 189 } | |
| 190 } | |
| 191 | |
| 192 if (permute) { | |
| 193 std::random_shuffle(message_vector.begin(), message_vector.end(), | |
| 194 RandInRange); | |
| 195 } | |
| 196 | |
| 197 if (!MessageFile::Write(base::FilePath(output_file_name), message_vector)) | |
| 198 return EXIT_FAILURE; | |
| 199 return EXIT_SUCCESS; | |
| 200 } | |
| 201 | |
| 202 int FuzzerMain(int argc, char** argv) { | |
| 203 base::CommandLine::Init(argc, argv); | |
| 204 base::CommandLine* cmd = base::CommandLine::ForCurrentProcess(); | |
| 205 base::CommandLine::StringVector args = cmd->GetArgs(); | |
| 206 | |
| 207 if (args.size() == 0 || args.size() > 2 || cmd->HasSwitch(kHelpSwitch)) { | |
| 208 usage(); | |
| 209 return EXIT_FAILURE; | |
| 210 } | |
| 211 | |
| 212 InitRand(); | |
| 213 | |
| 214 PopulateFuzzerFunctionVector(&g_function_vector); | |
| 215 std::cerr << "Counted " << g_function_vector.size() | |
| 216 << " distinct messages present in chrome.\n"; | |
| 217 | |
| 218 std::string fuzzer_name = "default"; | |
| 219 if (cmd->HasSwitch(kFuzzerNameSwitch)) | |
| 220 fuzzer_name = cmd->GetSwitchValueASCII(kFuzzerNameSwitch); | |
| 221 | |
| 222 int frequency = kFrequency; | |
| 223 if (cmd->HasSwitch(kFrequencySwitch)) | |
| 224 frequency = atoi(cmd->GetSwitchValueASCII(kFrequencySwitch).c_str()); | |
| 225 | |
| 226 Fuzzer* fuzzer = FuzzerFactory::Create(fuzzer_name, frequency); | |
| 227 if (!fuzzer) | |
| 228 return EXIT_FAILURE; | |
| 229 | |
| 230 int result; | |
| 231 base::FilePath::StringType output_file_name; | |
| 232 if (fuzzer_name == "default" || fuzzer_name == "generate") { | |
| 233 result = Generate(cmd, fuzzer); | |
| 234 } else { | |
| 235 result = Mutate(cmd, fuzzer); | |
| 236 } | |
| 237 | |
| 238 return result; | |
| 239 } | |
| 240 | |
| 241 } // namespace ipc_fuzzer | |
| 242 | |
| 243 int main(int argc, char** argv) { | |
| 244 return ipc_fuzzer::FuzzerMain(argc, argv); | |
| 245 } | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1025483002:
Restructure the ipc_fuzzer directory. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master