55 struct fuzz {  struct
99 fuzz_fmt(struct fuzz *fuzz, char *s, size_t n)  in fuzz_fmt()  argument
101 	if (fuzz == NULL)  in fuzz_fmt()
104 	switch (fuzz->strategy) {  in fuzz_fmt()
107 		    fuzz_ntop(fuzz->strategy),  in fuzz_fmt()
108 		    fuzz->o1, fuzz->slen * 8, fuzz->o1);  in fuzz_fmt()
112 		    fuzz_ntop(fuzz->strategy),  in fuzz_fmt()
113 		    (((fuzz_ullong)fuzz->o2) * fuzz->slen * 8) + fuzz->o1,  in fuzz_fmt()
114 		    ((fuzz_ullong)fuzz->slen * 8) * fuzz->slen * 8,  in fuzz_fmt()
115 		    fuzz->o1, fuzz->o2);  in fuzz_fmt()
119 		    fuzz_ntop(fuzz->strategy),  in fuzz_fmt()
120 		    fuzz->o1, fuzz->slen, fuzz->o1);  in fuzz_fmt()
124 		    fuzz_ntop(fuzz->strategy),  in fuzz_fmt()
125 		    (((fuzz_ullong)fuzz->o2) * fuzz->slen) + fuzz->o1,  in fuzz_fmt()
126 		    ((fuzz_ullong)fuzz->slen) * fuzz->slen,  in fuzz_fmt()
127 		    fuzz->o1, fuzz->o2);  in fuzz_fmt()
131 		    fuzz_ntop(fuzz->strategy),  in fuzz_fmt()
132 		    fuzz->o1, fuzz->slen, fuzz->o1);  in fuzz_fmt()
136 		    fuzz_ntop(fuzz->strategy),  in fuzz_fmt()
137 		    fuzz->o1, fuzz->slen, fuzz->o1);  in fuzz_fmt()
140 		assert(fuzz->o2 < sizeof(fuzz_b64chars) - 1);  in fuzz_fmt()
142 		    fuzz_ntop(fuzz->strategy),  in fuzz_fmt()
143 		    (fuzz->o1 * (fuzz_ullong)64) + fuzz->o2,  in fuzz_fmt()
144 		    fuzz->slen * (fuzz_ullong)64, fuzz->o1,  in fuzz_fmt()
145 		    fuzz_b64chars[fuzz->o2]);  in fuzz_fmt()
180 fuzz_dump(struct fuzz *fuzz)  in fuzz_dump()  argument
184 	if (fuzz_fmt(fuzz, buf, sizeof(buf)) != 0) {  in fuzz_dump()
189 	fprintf(stderr, "fuzz original %p len = %zu\n", fuzz->seed, fuzz->slen);  in fuzz_dump()
190 	dump(fuzz->seed, fuzz->slen);  in fuzz_dump()
191 	fprintf(stderr, "fuzz context %p len = %zu\n", fuzz, fuzz_len(fuzz));  in fuzz_dump()
192 	dump(fuzz_ptr(fuzz), fuzz_len(fuzz));  in fuzz_dump()
196 static struct fuzz *last_fuzz;
212 struct fuzz *
215 	struct fuzz *ret = calloc(sizeof(*ret), 1);  in fuzz_begin()
241 fuzz_cleanup(struct fuzz *fuzz)  in fuzz_cleanup()  argument
243 	FUZZ_DBG(("cleanup, fuzz = %p", fuzz));  in fuzz_cleanup()
248 	assert(fuzz != NULL);  in fuzz_cleanup()
249 	assert(fuzz->seed != NULL);  in fuzz_cleanup()
250 	assert(fuzz->fuzzed != NULL);  in fuzz_cleanup()
251 	free(fuzz->seed);  in fuzz_cleanup()
252 	free(fuzz->fuzzed);  in fuzz_cleanup()
253 	free(fuzz);  in fuzz_cleanup()
257 fuzz_strategy_done(struct fuzz *fuzz)  in fuzz_strategy_done()  argument
260 	    fuzz, fuzz_ntop(fuzz->strategy), fuzz->o1, fuzz->o2, fuzz->slen));  in fuzz_strategy_done()
262 	switch (fuzz->strategy) {  in fuzz_strategy_done()
264 		return fuzz->o1 >= fuzz->slen * 8;  in fuzz_strategy_done()
266 		return fuzz->o2 >= fuzz->slen * 8;  in fuzz_strategy_done()
268 		return fuzz->o2 >= fuzz->slen;  in fuzz_strategy_done()
273 		return fuzz->o1 >= fuzz->slen;  in fuzz_strategy_done()
280 fuzz_next(struct fuzz *fuzz)  in fuzz_next()  argument
285 	    "o1 = %zu, o2 = %zu, slen = %zu", fuzz, fuzz_ntop(fuzz->strategy),  in fuzz_next()
286 	    (u_long)fuzz->strategies, fuzz->o1, fuzz->o2, fuzz->slen));  in fuzz_next()
288 	if (fuzz->strategy == 0 || fuzz_strategy_done(fuzz)) {  in fuzz_next()
290 		if (fuzz->fuzzed == NULL) {  in fuzz_next()
292 			fuzz->fuzzed = calloc(fuzz->slen, 1);  in fuzz_next()
297 			if ((fuzz->strategies & i) != 0) {  in fuzz_next()
298 				fuzz->strategy = i;  in fuzz_next()
302 		FUZZ_DBG(("selected = %u", fuzz->strategy));  in fuzz_next()
303 		if (fuzz->strategy == 0) {  in fuzz_next()
307 		fuzz->strategies &= ~(fuzz->strategy);  in fuzz_next()
308 		fuzz->o1 = fuzz->o2 = 0;  in fuzz_next()
311 	assert(fuzz->fuzzed != NULL);  in fuzz_next()
313 	switch (fuzz->strategy) {  in fuzz_next()
315 		assert(fuzz->o1 / 8 < fuzz->slen);  in fuzz_next()
316 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);  in fuzz_next()
317 		fuzz->fuzzed[fuzz->o1 / 8] ^= 1 << (fuzz->o1 % 8);  in fuzz_next()
318 		fuzz->o1++;  in fuzz_next()
321 		assert(fuzz->o1 / 8 < fuzz->slen);  in fuzz_next()
322 		assert(fuzz->o2 / 8 < fuzz->slen);  in fuzz_next()
323 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);  in fuzz_next()
324 		fuzz->fuzzed[fuzz->o1 / 8] ^= 1 << (fuzz->o1 % 8);  in fuzz_next()
325 		fuzz->fuzzed[fuzz->o2 / 8] ^= 1 << (fuzz->o2 % 8);  in fuzz_next()
326 		fuzz->o1++;  in fuzz_next()
327 		if (fuzz->o1 >= fuzz->slen * 8) {  in fuzz_next()
328 			fuzz->o1 = 0;  in fuzz_next()
329 			fuzz->o2++;  in fuzz_next()
333 		assert(fuzz->o1 < fuzz->slen);  in fuzz_next()
334 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);  in fuzz_next()
335 		fuzz->fuzzed[fuzz->o1] ^= 0xff;  in fuzz_next()
336 		fuzz->o1++;  in fuzz_next()
339 		assert(fuzz->o1 < fuzz->slen);  in fuzz_next()
340 		assert(fuzz->o2 < fuzz->slen);  in fuzz_next()
341 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);  in fuzz_next()
342 		fuzz->fuzzed[fuzz->o1] ^= 0xff;  in fuzz_next()
343 		fuzz->fuzzed[fuzz->o2] ^= 0xff;  in fuzz_next()
344 		fuzz->o1++;  in fuzz_next()
345 		if (fuzz->o1 >= fuzz->slen) {  in fuzz_next()
346 			fuzz->o1 = 0;  in fuzz_next()
347 			fuzz->o2++;  in fuzz_next()
352 		assert(fuzz->o1 < fuzz->slen);  in fuzz_next()
353 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);  in fuzz_next()
354 		fuzz->o1++;  in fuzz_next()
357 		assert(fuzz->o1 < fuzz->slen);  in fuzz_next()
358 		assert(fuzz->o2 < sizeof(fuzz_b64chars) - 1);  in fuzz_next()
359 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);  in fuzz_next()
360 		fuzz->fuzzed[fuzz->o1] = fuzz_b64chars[fuzz->o2];  in fuzz_next()
361 		fuzz->o2++;  in fuzz_next()
362 		if (fuzz->o2 >= sizeof(fuzz_b64chars) - 1) {  in fuzz_next()
363 			fuzz->o2 = 0;  in fuzz_next()
364 			fuzz->o1++;  in fuzz_next()
372 	    "o1 = %zu, o2 = %zu, slen = %zu", fuzz, fuzz_ntop(fuzz->strategy),  in fuzz_next()
373 	    (u_long)fuzz->strategies, fuzz->o1, fuzz->o2, fuzz->slen));  in fuzz_next()
377 fuzz_matches_original(struct fuzz *fuzz)  in fuzz_matches_original()  argument
379 	if (fuzz_len(fuzz) != fuzz->slen)  in fuzz_matches_original()
381 	return memcmp(fuzz_ptr(fuzz), fuzz->seed, fuzz->slen) == 0;  in fuzz_matches_original()
385 fuzz_done(struct fuzz *fuzz)  in fuzz_done()  argument
387 	FUZZ_DBG(("fuzz = %p, strategies = 0x%lx", fuzz,  in fuzz_done()
388 	    (u_long)fuzz->strategies));  in fuzz_done()
390 	return fuzz_strategy_done(fuzz) && fuzz->strategies == 0;  in fuzz_done()
394 fuzz_len(struct fuzz *fuzz)  in fuzz_len()  argument
396 	assert(fuzz->fuzzed != NULL);  in fuzz_len()
397 	switch (fuzz->strategy) {  in fuzz_len()
403 		return fuzz->slen;  in fuzz_len()
406 		assert(fuzz->o1 <= fuzz->slen);  in fuzz_len()
407 		return fuzz->slen - fuzz->o1;  in fuzz_len()
414 fuzz_ptr(struct fuzz *fuzz)  in fuzz_ptr()  argument
416 	assert(fuzz->fuzzed != NULL);  in fuzz_ptr()
417 	switch (fuzz->strategy) {  in fuzz_ptr()
423 		return fuzz->fuzzed;  in fuzz_ptr()
425 		assert(fuzz->o1 <= fuzz->slen);  in fuzz_ptr()
426 		return fuzz->fuzzed + fuzz->o1;  in fuzz_ptr()
428 		assert(fuzz->o1 <= fuzz->slen);  in fuzz_ptr()
429 		return fuzz->fuzzed;  in fuzz_ptr()