Chromium Code Reviews Chromium Code Reviews
Issue 1156103003:
Initial implementation of a record-level bitcode fuzzer. (Closed)
Base URL: https://chromium.googlesource.com/native_client/pnacl-llvm.git@fuzz| Index: include/llvm/Bitcode/NaCl/NaClFuzz.h |
| diff --git a/include/llvm/Bitcode/NaCl/NaClFuzz.h b/include/llvm/Bitcode/NaCl/NaClFuzz.h |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..22b14cee4304eedd47fa0c0dc3f042507f27fd84 |
| --- /dev/null |
| +++ b/include/llvm/Bitcode/NaCl/NaClFuzz.h |
| @@ -0,0 +1,96 @@ |
| +//===- NaClFuzz.h - Fuzz PNaCl bitcode records ------------------*- C++ -*-===// |
| +// |
| +// The LLVM Compiler Infrastructure |
| +// |
| +// This file is distributed under the University of Illinois Open Source |
| +// License. See LICENSE.TXT for details. |
| +// |
| +//===----------------------------------------------------------------------===// |
| +// |
| +// This file defines a basic fuzzer for a list of PNaCl bitcode records. |
| +// |
| +// *** WARNING *** The implementation of the fuzzer uses a random |
| +// number generator. As a result, this code is not thread safe. |
|
jvoung (off chromium)
2015/06/01 17:26:35
Close the header description with another line of
Karl
2015/06/01 22:40:54
Done.
|
| + |
| +#ifndef LLVM_BITCODE_NACL_NACLFUZZ_H |
| +#define LLVM_BITCODE_NACL_NACLFUZZ_H |
| + |
| +#include "llvm/ADT/SmallVector.h" |
| +#include "llvm/Bitcode/NaCl/NaClBitcodeMungeUtils.h" |
| +#include "llvm/Bitcode/NaCl/NaClRandNumGen.h" |
| + |
| +#include <random> |
| + |
| +namespace naclfuzz { |
| + |
| +using namespace llvm; |
| + |
| +/// \brief Fuzzes a list of editable bitcode records. |
| +class RecordFuzzer { |
| + RecordFuzzer(const RecordFuzzer&) = delete; |
| + void operator=(const RecordFuzzer&) = delete; |
| +public: |
| + typedef NaClMungedBitcode::iterator iterator; |
| + |
| + /// \brief The set of possible fuzzing actions. |
| + enum EditAction { |
| + /// \brief Inserts a new record into the list of bitcode records. |
| + InsertRecord, |
| + /// \brief Mutate contents of an existing bitcode record. |
| + MutateRecord, |
| + /// \brief Removes an existing record from the list of bitcode |
| + /// records. |
| + RemoveRecord, |
| + /// \brief Replaces an existing record with a new bitcode record. |
| + ReplaceRecord, |
| + /// \brief Swaps two records in the bitcode record list. |
| + SwapRecord |
| + }; |
| + |
| + virtual ~RecordFuzzer(); |
| + |
| + /// \brief Generates a random mutation of the bitcode, using the |
| + /// provided random number generator. Percentage (a value between 0 |
| + /// and 1 defined by Count/Base) is used to define the number of |
| + /// fuzzing actions applied to the bitcode. Returns true if fuzzing |
| + /// succeeded. |
| + /// |
| + /// Many be called an arbitrary number of times. Results are left in |
|
jvoung (off chromium)
2015/06/01 17:26:34
Many be -> May be
Karl
2015/06/01 22:40:54
Done.
|
| + /// the munged bitcode records passed into static method |
| + /// createSimpleRecordFuzzer. |
| + virtual bool fuzz(unsigned Count, unsigned Base=100) = 0; |
| + |
| + /// \brief Shows how many times each record was edited in the |
| + /// corresponding (input) bitcode, over all calls to fuzz. |
| + virtual void showRecordDistribution(raw_ostream &Out) const = 0; |
| + |
| + /// \brief Shows how many times each type of edit action was applied |
| + /// to the corresponding bitcode, over all calls to fuzz. |
| + virtual void showEditDistribution(raw_ostream &Out) const = 0; |
| + |
| + // Creates an instance of a fuzzer for the given bitcode. |
| + static RecordFuzzer |
| + *createSimpleRecordFuzzer(NaClMungedBitcode &Bitcode, |
| + RandomNumberGenerator &RandGenerator); |
| + |
| + /// Returns printable name for the edit action. |
| + static const char *actionName(EditAction Action); |
| + |
| +protected: |
| + explicit RecordFuzzer(NaClMungedBitcode &Bitcode, |
|
jvoung (off chromium)
2015/06/01 17:26:34
No longer need explicit w/ two params.
Karl
2015/06/01 22:40:54
Done.
|
| + RandomNumberGenerator &Generator); |
| + |
| + // Holds the bitcode being munged. |
| + NaClMungedBitcode &Bitcode; |
| + |
| + // Hold the random number generator. |
| + RandomNumberGenerator &Generator; |
| + |
| + // Erases the last fuzzing result from the munged bitcode records |
| + // in Bitcode. |
| + virtual void clear(); |
| +}; |
| + |
| +} // end of namespace naclfuzz |
| + |
| +#endif // LLVM_BITCODE_NACL_NACLFUZZ_H |
