Index: lib/fuzzer/utils/FuzzedDataProvider.h =================================================================== --- /dev/null +++ lib/fuzzer/utils/FuzzedDataProvider.h @@ -0,0 +1,206 @@ +//===- FuzzedDataProvider.h - Utility header for fuzz targets ---*- C++ -* ===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// +// A single header library providing an utility class to break up an array of +// bytes (supposedly provided by a fuzzing engine) for multiple consumers. +// Whenever run on the same input, provides the same output, as long as its +// methods are called in the same order, with the same arguments. +//===----------------------------------------------------------------------===// + +#ifndef LLVM_FUZZER_FUZZED_DATA_PROVIDER_H_ +#define LLVM_FUZZER_FUZZED_DATA_PROVIDER_H_ + +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +class FuzzedDataProvider { + public: + typedef uint8_t data_type; + + // |data| is an array of length |size| that the FuzzedDataProvider wraps to + // provide more granular access. |data| must outlive the FuzzedDataProvider. + FuzzedDataProvider(const uint8_t* data, size_t size) + : data_ptr_(data), remaining_bytes_(size) {} + ~FuzzedDataProvider() = default; + + // Returns a std::vector containing |num_bytes| of input data. If fewer than + // |num_bytes| of data remain, returns a shorter std::vector containing all + // of the data that's left. + template + std::vector ConsumeBytes(size_t num_bytes) { + static_assert(sizeof(T) == sizeof(data_type), "Incompatible data type."); + + num_bytes = std::min(num_bytes, remaining_bytes_); + + // The point of using the size-based constructor below is to increase the + // odds of having a vector object with capacity being equal to the length. + // That part is always implementation specific, but at least both libc++ and + // libstdc++ allocate the requested number of bytes in that constructor, + // which seems to be a natual choice for other implementations as well. + // To increase the odds even more, we also call |shrink_to_fit| below. + std::vector result(num_bytes); + std::memcpy(result.data(), data_ptr_, num_bytes); + Advance(num_bytes); + + // Even though |shrink_to_fit| is also implementation specific, we expect it + // to provide an additional assurance in case vector's constructor allocated + // a buffer which is larger than the actual amount of data we put inside it. + result.shrink_to_fit(); + return result; + } + + // Prefer using |ConsumeBytes| unless you actually need a std::string object. + // Returns a std::string containing |num_bytes| of input data. If fewer than + // |num_bytes| of data remain, returns a shorter std::string containing all + // of the data that's left. + std::string ConsumeBytesAsString(size_t num_bytes) { + static_assert(sizeof(std::string::value_type) == sizeof(data_type), + "ConsumeBytesAsString cannot convert the data to a string."); + + num_bytes = std::min(num_bytes, remaining_bytes_); + std::string result( + reinterpret_cast(data_ptr_), num_bytes); + Advance(num_bytes); + return result; + } + + // Returns a number in the range [min, max] by consuming bytes from the input + // data. The value might not be uniformly distributed in the given range. If + // there's no input data left, always returns |min|. |min| must be less than + // or equal to |max|. + template + T ConsumeIntegralInRange(T min, T max) { + static_assert(std::is_integral::value, "An integral type is required."); + static_assert(sizeof(T) <= sizeof(uint64_t), "Unsupported integral type."); + + if (min > max) + abort(); + + // Use the biggest type possible to hold the range and the result. + uint64_t range = static_cast(max) - min; + uint64_t result = 0; + size_t offset = 0; + + while (offset < sizeof(T) * CHAR_BIT && (range >> offset) > 0 && + remaining_bytes_ != 0) { + // Pull bytes off the end of the seed data. Experimentally, this seems to + // allow the fuzzer to more easily explore the input space. This makes + // sense, since it works by modifying inputs that caused new code to run, + // and this data is often used to encode length of data read by + // |ConsumeBytes|. Separating out read lengths makes it easier modify the + // contents of the data that is actually read. + --remaining_bytes_; + result = (result << CHAR_BIT) | data_ptr_[remaining_bytes_]; + offset += CHAR_BIT; + } + + // Avoid division by 0, in the case |range + 1| results in overflow. + if (range != std::numeric_limits::max()) + result = result % (range + 1); + + return static_cast(min + result); + } + + // Returns a std::string of length from 0 to |max_length|. When it runs out of + // input data, returns what remains of the input. Designed to be more stable + // with respect to a fuzzer inserting characters than just picking a random + // length and then consuming that many bytes with |ConsumeBytes|. + std::string ConsumeRandomLengthString(size_t max_length) { + // Reads bytes from the start of |data_ptr_|. Maps "\\" to "\", and maps "\" + // followed by anything else to the end of the string. As a result of this + // logic, a fuzzer can insert characters into the string, and the string + // will be lengthened to include those new characters, resulting in a more + // stable fuzzer than picking the length of a string independently from + // picking its contents. + std::string result; + for (size_t i = 0; i < max_length && remaining_bytes_ != 0; ++i) { + char next = static_cast(data_ptr_[0]); + Advance(1); + if (next == '\\' && remaining_bytes_ != 0) { + next = static_cast(data_ptr_[0]); + Advance(1); + if (next != '\\') + return result; + } + result += next; + } + + result.shrink_to_fit(); + return result; + } + + // Returns a std::vector containing all remaining bytes of the input data. + template + std::vector ConsumeRemainingBytes() { + return ConsumeBytes(remaining_bytes_); + } + + // Prefer using |ConsumeRemainingBytes| unless you actually need a std::string + // object. + // Returns a std::vector containing all remaining bytes of the input data. + std::string ConsumeRemainingBytesAsString() { + return ConsumeBytesAsString(remaining_bytes_); + } + + // Returns a number in the range [Type's min, Type's max]. The value might + // not be uniformly distributed in the given range. If there's no input data + // left, always returns |min|. + template + T ConsumeIntegral() { + return ConsumeIntegralInRange(std::numeric_limits::min(), + std::numeric_limits::max()); + } + + // Reads one byte and returns a bool, or false when no data remains. + bool ConsumeBool() { return 1 & ConsumeIntegral(); } + + // Returns a value from |array|, consuming as many bytes as needed to do so. + // |array| must be a fixed-size array. + template + T PickValueInArray(T (&array)[size]) { + return array[ConsumeIntegralInRange(0, size - 1)]; + } + + // Return an enum value. The enum must start at 0 and be contiguous. It must + // also contain kMaxValue aliased to its largest (inclusive) value. Such as: + // enum class Foo { SomeValue, OtherValue, kMaxValue = OtherValue }; + template + T ConsumeEnum() { + static_assert(std::is_enum::value, "|T| must be an enum type."); + return static_cast(ConsumeIntegralInRange( + 0, static_cast(T::kMaxValue))); + } + + // Reports the remaining bytes available for fuzzed input. + size_t remaining_bytes() { return remaining_bytes_; } + + private: + FuzzedDataProvider(const FuzzedDataProvider&) = delete; + FuzzedDataProvider& operator=(const FuzzedDataProvider&) = delete; + + void Advance(size_t num_bytes) { + if (num_bytes > remaining_bytes_) + abort(); + + data_ptr_ += num_bytes; + remaining_bytes_ -= num_bytes; + } + + const data_type* data_ptr_; + size_t remaining_bytes_; +}; + +#endif // LLVM_FUZZER_FUZZED_DATA_PROVIDER_H_ + \ No newline at end of file Index: test/fuzzer/FuzzedDataProviderTest.cpp =================================================================== --- /dev/null +++ test/fuzzer/FuzzedDataProviderTest.cpp @@ -0,0 +1,186 @@ +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception + +#include +#include +#include + +#include "utils/FuzzedDataProvider.h" + +int main(int argc, char *argv[]) { + /* A random 1KB buffer generated by: + $ python -c "import os; print '\n'.join([', '.join(['0x%02X' % ord(i) for i \ + in list(os.urandom(8))]) for _ in xrange(128)])" + */ + const uint8_t Data[] = { + 0xA6, 0x02, 0xDD, 0x13, 0x44, 0xFF, 0xF5, 0xFA + 0xF6, 0xB5, 0xDD, 0xEE, 0x77, 0x30, 0xEB, 0x83 + 0x95, 0xBE, 0x3C, 0xED, 0x73, 0x1B, 0x64, 0x0B + 0x77, 0x35, 0xCB, 0x8C, 0x4C, 0x62, 0x61, 0x4C + 0x5B, 0x61, 0x3C, 0xFA, 0xA0, 0x96, 0x06, 0xB7 + 0x73, 0x73, 0x56, 0x1B, 0xB5, 0xDC, 0x87, 0x44 + 0x96, 0x69, 0xF2, 0xC7, 0x98, 0xCA, 0x3E, 0xBF + 0x3C, 0x7D, 0xDE, 0x8B, 0xD5, 0x2E, 0x41, 0x6E + 0xCE, 0x92, 0x2E, 0x34, 0xC8, 0x97, 0x7E, 0xD6 + 0x79, 0x21, 0x09, 0x84, 0xCA, 0x3F, 0x96, 0xA0 + 0x8D, 0x82, 0xF5, 0x13, 0x94, 0x17, 0x18, 0xA2 + 0x10, 0x58, 0x15, 0xAA, 0xC8, 0xD8, 0xA1, 0x08 + 0x66, 0xAA, 0x31, 0xAC, 0x0A, 0x9D, 0xD1, 0x22 + 0x3E, 0x61, 0xAE, 0xC4, 0x97, 0xD5, 0xC1, 0xD0 + 0x25, 0x3A, 0x69, 0x3D, 0x36, 0x2D, 0x5D, 0x17 + 0x51, 0x9B, 0x3E, 0x05, 0x3A, 0x45, 0x51, 0xBA + 0xB5, 0x68, 0x37, 0x3F, 0xE1, 0x2F, 0xA3, 0x19 + 0x66, 0x1C, 0x3D, 0xC6, 0xB3, 0x5A, 0x3E, 0xA5 + 0x12, 0x08, 0x24, 0xC3, 0x73, 0x1D, 0xDE, 0x82 + 0xCC, 0xD9, 0xCC, 0x26, 0xD0, 0x7C, 0x7E, 0xB9 + 0xD2, 0x41, 0x77, 0x3B, 0xE4, 0xBE, 0xE9, 0x92 + 0x5F, 0x91, 0x59, 0x37, 0x9F, 0xCF, 0xF3, 0xC8 + 0xF2, 0x2B, 0x77, 0x35, 0x0B, 0xF1, 0x77, 0xDC + 0x9E, 0x76, 0x93, 0x18, 0x66, 0xE3, 0xE4, 0x2F + 0x0F, 0x9F, 0x71, 0xEA, 0x9A, 0x98, 0x42, 0xF7 + 0x23, 0x7B, 0x5E, 0xFA, 0xD2, 0x61, 0xFD, 0xB6 + 0x8A, 0xD9, 0x81, 0x96, 0x6C, 0x6C, 0xF8, 0x82 + 0x8F, 0x08, 0x29, 0x61, 0x15, 0x10, 0x36, 0xD3 + 0x5A, 0x25, 0x93, 0x43, 0xDE, 0x52, 0x2C, 0xC3 + 0x3C, 0x25, 0x8C, 0x12, 0x82, 0x93, 0xAC, 0x3C + 0x55, 0xB1, 0x62, 0xFE, 0x57, 0xB9, 0xA6, 0xA9 + 0x28, 0x58, 0x27, 0xA0, 0xBF, 0x7B, 0xC1, 0x87 + 0xDB, 0x98, 0x24, 0x7D, 0xFC, 0xFA, 0xF3, 0xD1 + 0xFF, 0xC7, 0xB6, 0x39, 0x60, 0x3A, 0xE8, 0xE1 + 0x64, 0x46, 0xFB, 0xDC, 0xF3, 0x8F, 0x25, 0xDD + 0xCD, 0x62, 0x7B, 0x28, 0x24, 0xD4, 0x85, 0x34 + 0xAA, 0xF0, 0xE0, 0xB0, 0xD6, 0xC4, 0xA7, 0x15 + 0x44, 0x30, 0x98, 0xFE, 0xF9, 0x3E, 0x37, 0x0F + 0x06, 0x79, 0xD8, 0x0A, 0x4C, 0xEE, 0x26, 0x30 + 0x36, 0x16, 0x75, 0x59, 0xCA, 0xE0, 0x42, 0xCB + 0xF1, 0x65, 0x43, 0x4D, 0x16, 0x41, 0x89, 0x96 + 0xCB, 0xA1, 0xFA, 0xF1, 0xAE, 0x89, 0xEB, 0x83 + 0x82, 0xA4, 0x92, 0x6F, 0xE2, 0x9D, 0xA3, 0x58 + 0x24, 0x09, 0x32, 0x70, 0x10, 0xF6, 0xAE, 0x6D + 0x0C, 0x25, 0x47, 0x55, 0x09, 0xDE, 0x73, 0xA5 + 0x77, 0xF8, 0x31, 0x44, 0xD7, 0xF4, 0xA7, 0xEF + 0x87, 0x36, 0xA7, 0x43, 0x79, 0xDB, 0x08, 0x68 + 0x71, 0x31, 0x32, 0xA0, 0x30, 0x18, 0x9F, 0xD0 + 0x94, 0x6D, 0x79, 0x0C, 0x0A, 0x3B, 0xB8, 0xF1 + 0x60, 0xBD, 0x53, 0xD7, 0x88, 0x69, 0xCF, 0xCB + 0x5E, 0x0C, 0xC5, 0x26, 0xF1, 0x89, 0x64, 0xBC + 0x9C, 0x20, 0xF8, 0x41, 0xF0, 0xFF, 0x14, 0xE9 + 0x21, 0xE4, 0x15, 0x2F, 0x73, 0xCC, 0x40, 0xF1 + 0x36, 0x2F, 0xBD, 0x7C, 0x12, 0x50, 0xE3, 0x1F + 0x7E, 0xE2, 0x69, 0x1F, 0xC8, 0x11, 0xDB, 0xA4 + 0x70, 0xFC, 0xED, 0xCD, 0x0A, 0x9D, 0x25, 0x77 + 0xED, 0xF9, 0x4B, 0x67, 0xFA, 0x1D, 0xAA, 0xA1 + 0x6A, 0x24, 0x9F, 0x31, 0x5D, 0xD9, 0x9E, 0xEE + 0x3A, 0x8E, 0x00, 0xF3, 0x85, 0xB9, 0x2D, 0xE4 + 0x24, 0x67, 0x09, 0xDF, 0x6A, 0x84, 0x65, 0xB6 + 0xE9, 0xD2, 0x9E, 0xC8, 0xCB, 0x32, 0x17, 0xD8 + 0x0C, 0x6B, 0x3E, 0xD6, 0xF6, 0x56, 0x38, 0x48 + 0xF5, 0x05, 0x2F, 0x9C, 0xD1, 0xCC, 0xBD, 0x8C + 0x5B, 0xCD, 0x94, 0x73, 0xD9, 0x22, 0x10, 0x3D + 0x36, 0x9B, 0x1A, 0xA5, 0x03, 0xA6, 0xC2, 0x2F + 0x81, 0x96, 0x97, 0xDC, 0xEE, 0xEE, 0xDD, 0x13 + 0x7F, 0xFF, 0x26, 0xBF, 0x30, 0x67, 0xAC, 0x2D + 0x2F, 0xD8, 0x3E, 0x35, 0x90, 0x27, 0xC5, 0xA2 + 0x77, 0x37, 0x4B, 0x52, 0xD5, 0x18, 0x4F, 0xA4 + 0xBB, 0xAA, 0xBC, 0xC9, 0xF9, 0x34, 0x43, 0xA9 + 0x46, 0x70, 0x61, 0x03, 0x8C, 0x8C, 0xB9, 0x9A + 0xC8, 0x8B, 0xC1, 0x5D, 0x7C, 0xEF, 0xEF, 0xA6 + 0xAD, 0xD0, 0x57, 0x03, 0x0C, 0x79, 0xD7, 0xC6 + 0xB3, 0x08, 0x6A, 0xFB, 0x56, 0x3D, 0xB9, 0x7C + 0x5B, 0xCF, 0x62, 0x84, 0x2C, 0x32, 0x7B, 0x56 + 0xBF, 0xFD, 0x67, 0xEF, 0xC2, 0xB2, 0x44, 0xCC + 0xC3, 0x34, 0x18, 0xA0, 0xDA, 0x10, 0x81, 0xB0 + 0x48, 0xDB, 0xFC, 0xE6, 0xB2, 0x87, 0x4C, 0x82 + 0x70, 0x6E, 0x97, 0xA4, 0x97, 0x3D, 0x30, 0xB5 + 0x01, 0x09, 0xFA, 0xD0, 0x0F, 0xA6, 0xE7, 0xE3 + 0x0D, 0x60, 0x88, 0xA1, 0x5C, 0x05, 0x54, 0x03 + 0x69, 0x62, 0x1E, 0x48, 0x21, 0xB4, 0x3D, 0x0F + 0x5B, 0x82, 0x01, 0x73, 0x8B, 0x13, 0x30, 0x57 + 0xD2, 0xB6, 0xD6, 0x0A, 0x89, 0x45, 0x0C, 0xD0 + 0x1C, 0x7C, 0xFD, 0x19, 0x56, 0xFB, 0x3F, 0xED + 0x76, 0x1F, 0x19, 0xC0, 0xBD, 0xBE, 0xA6, 0xB0 + 0x36, 0x0F, 0xFA, 0x54, 0x1D, 0x77, 0x2B, 0xAF + 0xAE, 0x77, 0x0C, 0x93, 0x1D, 0x1F, 0x1A, 0x78 + 0x92, 0x15, 0x59, 0x0D, 0xEA, 0xE3, 0xCD, 0xEE + 0x33, 0x4C, 0xCD, 0xD2, 0xE7, 0x21, 0x92, 0x4B + 0xC8, 0x6D, 0xF2, 0x9A, 0x52, 0x57, 0x8F, 0xC3 + 0x68, 0x0D, 0x61, 0x18, 0x50, 0x12, 0xCC, 0x9C + 0x1A, 0xFF, 0x78, 0xA4, 0xF4, 0xFB, 0xC0, 0xFA + 0x58, 0xAC, 0x67, 0x5C, 0x38, 0xEA, 0x1E, 0x70 + 0xAC, 0xEB, 0x76, 0x63, 0x0B, 0xDC, 0xE3, 0x32 + 0x95, 0x6E, 0xCB, 0xAC, 0x0D, 0x44, 0x8E, 0x7F + 0xD9, 0x16, 0x30, 0xE1, 0x87, 0xD0, 0x35, 0xA9 + 0x44, 0xD9, 0x2D, 0x98, 0x67, 0x63, 0x4B, 0xD4 + 0x3B, 0x08, 0x9B, 0x80, 0x46, 0x61, 0xEA, 0x35 + 0x2D, 0x8B, 0x14, 0x5A, 0x77, 0x84, 0x72, 0xFC + 0xDD, 0xA0, 0x9E, 0x6A, 0xDD, 0xAE, 0xBD, 0x11 + 0x63, 0xCA, 0x96, 0x37, 0x8C, 0x35, 0xBD, 0x66 + 0xBD, 0x00, 0x02, 0x3D, 0xE0, 0xDC, 0x87, 0x00 + 0xC8, 0x44, 0xDA, 0xD3, 0x62, 0x91, 0xBB, 0xB3 + 0x96, 0x03, 0x20, 0xD2, 0x07, 0x07, 0x8B, 0x5A + 0x43, 0x12, 0x9C, 0x2C, 0x39, 0x93, 0x63, 0x70 + 0x79, 0x07, 0xF8, 0x06, 0x50, 0x4F, 0xBC, 0x4A + 0x63, 0x11, 0x83, 0xA0, 0xC7, 0x2F, 0xBE, 0xE8 + 0x7E, 0xCA, 0x04, 0x9E, 0x1F, 0x3B, 0x97, 0x4F + 0x40, 0xC1, 0x7E, 0x2D, 0xCE, 0x4F, 0x7D, 0xA2 + 0x47, 0x42, 0xE2, 0xB8, 0x00, 0x73, 0xCE, 0x75 + 0xB5, 0xCF, 0x24, 0x44, 0x27, 0xC7, 0x8B, 0xB0 + 0x23, 0x7A, 0xCC, 0x7F, 0xE2, 0xBA, 0xB8, 0xBD + 0xA9, 0x6E, 0x71, 0x63, 0x3F, 0x36, 0xC7, 0x4F + 0x04, 0xE3, 0x7C, 0x69, 0x60, 0x52, 0xF1, 0x84 + 0x5B, 0x25, 0xA1, 0x0B, 0x80, 0xD8, 0x10, 0x0F + 0x07, 0x1A, 0xA6, 0x6F, 0xD0, 0x41, 0xA4, 0x92 + 0x09, 0x41, 0x57, 0xC2, 0xDC, 0xDE, 0x86, 0x9A + 0x0A, 0x61, 0x14, 0x04, 0xD0, 0x25, 0xCD, 0x89 + 0xAA, 0xCB, 0x2B, 0x4F, 0x5D, 0x33, 0xA5, 0xDF + 0x3D, 0x35, 0xB7, 0xA1, 0x78, 0xA0, 0xDE, 0x34 + 0x93, 0xB4, 0x33, 0x47, 0xA4, 0xFD, 0xD9, 0x82 + 0xC6, 0x72, 0x91, 0xD0, 0xA6, 0x82, 0x17, 0x25 + 0xEF, 0xD1, 0x95, 0x9F, 0x85, 0x31, 0x05, 0xBB + 0x46, 0xF3, 0x86, 0x02, 0x71, 0xF5, 0xC0, 0xB9 + 0xF8, 0xB3, 0x6C, 0x79, 0xBF, 0x9C, 0x2C, 0xAA + 0x60, 0xEA, 0xC7, 0x97, 0xCB, 0x20, 0x0D, 0x90 + 0xD5, 0x9B, 0xDB, 0x9C, 0xE4, 0x3D, 0x80, 0xA7 + }; + + FuzzedDataProvider DataProv(Data, sizeof(data)); + // template + // std::vector ConsumeBytes(size_t num_bytes) + + // std::string ConsumeBytesAsString(size_t num_bytes) + + // template + // T ConsumeIntegralInRange(T min, T max) + + // std::string ConsumeRandomLengthString(size_t max_length) { + + // template + // std::vector ConsumeRemainingBytes() { + // return ConsumeBytes(remaining_bytes_); + // } + + // std::string ConsumeRemainingBytesAsString() { + // return ConsumeBytesAsString(remaining_bytes_); + // } + + // template + // T ConsumeIntegral() { + + // bool ConsumeBool() + + // template + // T PickValueInArray(T (&array)[size]) { + + // template + // T ConsumeEnum() + + // size_t remaining_bytes() + + return 0; +} + +// int main(int argc, char **argv) { +// testing::InitGoogleTest(&argc, argv); +// return RUN_ALL_TESTS(); +// }