Initial implementation of a record-level bitcode fuzzer.

include/llvm/Bitcode/NaCl/NaClFuzz.h

+//===- NaClFuzz.h - Fuzz PNaCl bitcode records ------------------*- C++ -*-===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This file defines a basic fuzzer for a list of PNaCl bitcode records.
+//
+// *** WARNING *** The implementation of the fuzzer seeds the random
+// number generator each time bitcode is fuzzed. As a result, this
+// code is not thread safe.
+
+#ifndef LLVM_BITCODE_NACL_NACLFUZZ_H
+#define LLVM_BITCODE_NACL_NACLFUZZ_H
+
+#include "llvm/ADT/SmallVector.h"
+#include "llvm/Bitcode/NaCl/NaClBitcodeMungeUtils.h"
+
+namespace naclfuzz {
+
+using namespace llvm;
+
+/// \brief Fuzzes a list of editable bitcode records.
+class RecordFuzzer {
+  RecordFuzzer(const RecordFuzzer&) = delete;
+  void operator=(const RecordFuzzer&) = delete;
+public:
+
+  typedef NaClMungedBitcode::iterator iterator;
+  /// \brief The set of possible fuzzing actions.
+  enum EditAction {
+    /// \brief Inserts a new record into the list of bitcode records.
+    InsertRecord,
+    /// \brief Mutate contents of an existing bitcode record.
+    MutateRecord,
+    /// \brief Removes an existing record from the list of bitcode
+    /// records.
+    RemoveRecord,
+    /// \brief Replaces an existing record with a new bitcode record.
+    ReplaceRecord,
+    /// \brief Swaps two records in the bitcode record list.
+    SwapRecord
+  };
+
+  virtual ~RecordFuzzer();
+
+  /// \brief Sets the random number generator seed to the given value.
+  /// Value of 1 implies reset to default for random number generator.
+  virtual void setRandomGeneratorSeed(uint64_t NewValue = 1) = 0;
+
+  /// \brief Generates a new fuzzing of the bitcode, using the a random

[kcc2, 2015/05/26 20:38:32]

Do you mean "generates a random mutation"?

[Karl, 2015/05/29 20:59:34]

Done.

+  /// number generator. Percentage (a value between 0 and 1) is used to
+  /// define the number of fuzzing actions applied to the bitcode.
+  /// Returns true if fuzzing succeeded.
+  ///
+  /// Many be called an arbitrary number of times. Results are left in
+  /// the munged bitcode records passed into static method
+  /// createSimpleRecordFuzzer.
+  virtual bool fuzz(float MinPercentage) = 0;

[kcc2, 2015/05/26 20:38:32]

float? 
mmmm. I don't like floats except for when you need floating point arithmetic. 

[Karl, 2015/05/29 20:59:34]

Changed to pass in Count/Base (integer) values to define percentage.

+
+  /// \brief Shows how many times each record was edited in the
+  /// corresponding (input) bitcode, over all calls to fuzz.
+  virtual void showRecordDistribution(raw_ostream &Out) const = 0;
+
+  /// \brief Shows how many times each type of edit action was applied
+  /// to the corresponding bitcode, over all calls to fuzz.
+  virtual void showEditDistribution(raw_ostream &Out) const = 0;
+
+  // Creates an instance of a fuzzer for the given bitcode.
+  static RecordFuzzer *createSimpleRecordFuzzer(NaClMungedBitcode &Bitcode);
+
+  /// Returns printable name for the edit action.
+  static const char *actionName(EditAction Action);
+
+protected:
+  explicit RecordFuzzer(NaClMungedBitcode &Bitcode);
+
+  // Holds the bitcode being munged.
+  NaClMungedBitcode &Bitcode;
+
+  // Erases the last fuzzing result from the munged bitcode records
+  // in Bitcode.
+  virtual void clear();
+};
+
+} // end of namespace naclfuzz
+
+#endif // LLVM_BITCODE_NACL_NACLFUZZ_H