1 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 2 // See https://llvm.org/LICENSE.txt for license information. 3 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 4 5 // Avoid ODR violations (LibFuzzer is built without ASan and this test is built 6 // with ASan) involving C++ standard library types when using libcxx. 7 #define _LIBCPP_HAS_NO_ASAN 8 9 // Do not attempt to use LLVM ostream etc from gtest. 10 #define GTEST_NO_LLVM_SUPPORT 1 11 12 #include "FuzzerCorpus.h" 13 #include "FuzzerDictionary.h" 14 #include "FuzzerInternal.h" 15 #include "FuzzerMerge.h" 16 #include "FuzzerMutate.h" 17 #include "FuzzerRandom.h" 18 #include "FuzzerTracePC.h" 19 #include "gtest/gtest.h" 20 #include <memory> 21 #include <set> 22 #include <sstream> 23 24 using namespace fuzzer; 25 26 // For now, have LLVMFuzzerTestOneInput just to make it link. 27 // Later we may want to make unittests that actually call LLVMFuzzerTestOneInput. 28 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 29 abort(); 30 } 31 32 TEST(Fuzzer, Basename) { 33 EXPECT_EQ(Basename("foo/bar"), "bar"); 34 EXPECT_EQ(Basename("bar"), "bar"); 35 EXPECT_EQ(Basename("/bar"), "bar"); 36 EXPECT_EQ(Basename("foo/x"), "x"); 37 EXPECT_EQ(Basename("foo/"), ""); 38 #if LIBFUZZER_WINDOWS 39 EXPECT_EQ(Basename("foo\\bar"), "bar"); 40 EXPECT_EQ(Basename("foo\\bar/baz"), "baz"); 41 EXPECT_EQ(Basename("\\bar"), "bar"); 42 EXPECT_EQ(Basename("foo\\x"), "x"); 43 EXPECT_EQ(Basename("foo\\"), ""); 44 #endif 45 } 46 47 TEST(Fuzzer, CrossOver) { 48 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 49 fuzzer::EF = t.get(); 50 Random Rand(0); 51 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 52 Unit A({0, 1, 2}), B({5, 6, 7}); 53 Unit C; 54 Unit Expected[] = { 55 { 0 }, 56 { 0, 1 }, 57 { 0, 5 }, 58 { 0, 1, 2 }, 59 { 0, 1, 5 }, 60 { 0, 5, 1 }, 61 { 0, 5, 6 }, 62 { 0, 1, 2, 5 }, 63 { 0, 1, 5, 2 }, 64 { 0, 1, 5, 6 }, 65 { 0, 5, 1, 2 }, 66 { 0, 5, 1, 6 }, 67 { 0, 5, 6, 1 }, 68 { 0, 5, 6, 7 }, 69 { 0, 1, 2, 5, 6 }, 70 { 0, 1, 5, 2, 6 }, 71 { 0, 1, 5, 6, 2 }, 72 { 0, 1, 5, 6, 7 }, 73 { 0, 5, 1, 2, 6 }, 74 { 0, 5, 1, 6, 2 }, 75 { 0, 5, 1, 6, 7 }, 76 { 0, 5, 6, 1, 2 }, 77 { 0, 5, 6, 1, 7 }, 78 { 0, 5, 6, 7, 1 }, 79 { 0, 1, 2, 5, 6, 7 }, 80 { 0, 1, 5, 2, 6, 7 }, 81 { 0, 1, 5, 6, 2, 7 }, 82 { 0, 1, 5, 6, 7, 2 }, 83 { 0, 5, 1, 2, 6, 7 }, 84 { 0, 5, 1, 6, 2, 7 }, 85 { 0, 5, 1, 6, 7, 2 }, 86 { 0, 5, 6, 1, 2, 7 }, 87 { 0, 5, 6, 1, 7, 2 }, 88 { 0, 5, 6, 7, 1, 2 } 89 }; 90 for (size_t Len = 1; Len < 8; Len++) { 91 Set<Unit> FoundUnits, ExpectedUnitsWitThisLength; 92 for (int Iter = 0; Iter < 3000; Iter++) { 93 C.resize(Len); 94 size_t NewSize = MD->CrossOver(A.data(), A.size(), B.data(), B.size(), 95 C.data(), C.size()); 96 C.resize(NewSize); 97 FoundUnits.insert(C); 98 } 99 for (const Unit &U : Expected) 100 if (U.size() <= Len) 101 ExpectedUnitsWitThisLength.insert(U); 102 EXPECT_EQ(ExpectedUnitsWitThisLength, FoundUnits); 103 } 104 } 105 106 TEST(Fuzzer, Hash) { 107 uint8_t A[] = {'a', 'b', 'c'}; 108 fuzzer::Unit U(A, A + sizeof(A)); 109 EXPECT_EQ("a9993e364706816aba3e25717850c26c9cd0d89d", fuzzer::Hash(U)); 110 U.push_back('d'); 111 EXPECT_EQ("81fe8bfe87576c3ecb22426f8e57847382917acf", fuzzer::Hash(U)); 112 } 113 114 typedef size_t (MutationDispatcher::*Mutator)(uint8_t *Data, size_t Size, 115 size_t MaxSize); 116 117 void TestEraseBytes(Mutator M, int NumIter) { 118 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 119 fuzzer::EF = t.get(); 120 uint8_t REM0[8] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 121 uint8_t REM1[8] = {0x00, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 122 uint8_t REM2[8] = {0x00, 0x11, 0x33, 0x44, 0x55, 0x66, 0x77}; 123 uint8_t REM3[8] = {0x00, 0x11, 0x22, 0x44, 0x55, 0x66, 0x77}; 124 uint8_t REM4[8] = {0x00, 0x11, 0x22, 0x33, 0x55, 0x66, 0x77}; 125 uint8_t REM5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x66, 0x77}; 126 uint8_t REM6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x77}; 127 uint8_t REM7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66}; 128 129 uint8_t REM8[6] = {0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 130 uint8_t REM9[6] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55}; 131 uint8_t REM10[6] = {0x00, 0x11, 0x22, 0x55, 0x66, 0x77}; 132 133 uint8_t REM11[5] = {0x33, 0x44, 0x55, 0x66, 0x77}; 134 uint8_t REM12[5] = {0x00, 0x11, 0x22, 0x33, 0x44}; 135 uint8_t REM13[5] = {0x00, 0x44, 0x55, 0x66, 0x77}; 136 137 138 Random Rand(0); 139 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 140 int FoundMask = 0; 141 for (int i = 0; i < NumIter; i++) { 142 uint8_t T[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 143 size_t NewSize = (*MD.*M)(T, sizeof(T), sizeof(T)); 144 if (NewSize == 7 && !memcmp(REM0, T, 7)) FoundMask |= 1 << 0; 145 if (NewSize == 7 && !memcmp(REM1, T, 7)) FoundMask |= 1 << 1; 146 if (NewSize == 7 && !memcmp(REM2, T, 7)) FoundMask |= 1 << 2; 147 if (NewSize == 7 && !memcmp(REM3, T, 7)) FoundMask |= 1 << 3; 148 if (NewSize == 7 && !memcmp(REM4, T, 7)) FoundMask |= 1 << 4; 149 if (NewSize == 7 && !memcmp(REM5, T, 7)) FoundMask |= 1 << 5; 150 if (NewSize == 7 && !memcmp(REM6, T, 7)) FoundMask |= 1 << 6; 151 if (NewSize == 7 && !memcmp(REM7, T, 7)) FoundMask |= 1 << 7; 152 153 if (NewSize == 6 && !memcmp(REM8, T, 6)) FoundMask |= 1 << 8; 154 if (NewSize == 6 && !memcmp(REM9, T, 6)) FoundMask |= 1 << 9; 155 if (NewSize == 6 && !memcmp(REM10, T, 6)) FoundMask |= 1 << 10; 156 157 if (NewSize == 5 && !memcmp(REM11, T, 5)) FoundMask |= 1 << 11; 158 if (NewSize == 5 && !memcmp(REM12, T, 5)) FoundMask |= 1 << 12; 159 if (NewSize == 5 && !memcmp(REM13, T, 5)) FoundMask |= 1 << 13; 160 } 161 EXPECT_EQ(FoundMask, (1 << 14) - 1); 162 } 163 164 TEST(FuzzerMutate, EraseBytes1) { 165 TestEraseBytes(&MutationDispatcher::Mutate_EraseBytes, 200); 166 } 167 TEST(FuzzerMutate, EraseBytes2) { 168 TestEraseBytes(&MutationDispatcher::Mutate, 2000); 169 } 170 171 void TestInsertByte(Mutator M, int NumIter) { 172 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 173 fuzzer::EF = t.get(); 174 Random Rand(0); 175 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 176 int FoundMask = 0; 177 uint8_t INS0[8] = {0xF1, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66}; 178 uint8_t INS1[8] = {0x00, 0xF2, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66}; 179 uint8_t INS2[8] = {0x00, 0x11, 0xF3, 0x22, 0x33, 0x44, 0x55, 0x66}; 180 uint8_t INS3[8] = {0x00, 0x11, 0x22, 0xF4, 0x33, 0x44, 0x55, 0x66}; 181 uint8_t INS4[8] = {0x00, 0x11, 0x22, 0x33, 0xF5, 0x44, 0x55, 0x66}; 182 uint8_t INS5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0xF6, 0x55, 0x66}; 183 uint8_t INS6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0xF7, 0x66}; 184 uint8_t INS7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF8}; 185 for (int i = 0; i < NumIter; i++) { 186 uint8_t T[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66}; 187 size_t NewSize = (*MD.*M)(T, 7, 8); 188 if (NewSize == 8 && !memcmp(INS0, T, 8)) FoundMask |= 1 << 0; 189 if (NewSize == 8 && !memcmp(INS1, T, 8)) FoundMask |= 1 << 1; 190 if (NewSize == 8 && !memcmp(INS2, T, 8)) FoundMask |= 1 << 2; 191 if (NewSize == 8 && !memcmp(INS3, T, 8)) FoundMask |= 1 << 3; 192 if (NewSize == 8 && !memcmp(INS4, T, 8)) FoundMask |= 1 << 4; 193 if (NewSize == 8 && !memcmp(INS5, T, 8)) FoundMask |= 1 << 5; 194 if (NewSize == 8 && !memcmp(INS6, T, 8)) FoundMask |= 1 << 6; 195 if (NewSize == 8 && !memcmp(INS7, T, 8)) FoundMask |= 1 << 7; 196 } 197 EXPECT_EQ(FoundMask, 255); 198 } 199 200 TEST(FuzzerMutate, InsertByte1) { 201 TestInsertByte(&MutationDispatcher::Mutate_InsertByte, 1 << 15); 202 } 203 TEST(FuzzerMutate, InsertByte2) { 204 TestInsertByte(&MutationDispatcher::Mutate, 1 << 17); 205 } 206 207 void TestInsertRepeatedBytes(Mutator M, int NumIter) { 208 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 209 fuzzer::EF = t.get(); 210 Random Rand(0); 211 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 212 int FoundMask = 0; 213 uint8_t INS0[7] = {0x00, 0x11, 0x22, 0x33, 'a', 'a', 'a'}; 214 uint8_t INS1[7] = {0x00, 0x11, 0x22, 'a', 'a', 'a', 0x33}; 215 uint8_t INS2[7] = {0x00, 0x11, 'a', 'a', 'a', 0x22, 0x33}; 216 uint8_t INS3[7] = {0x00, 'a', 'a', 'a', 0x11, 0x22, 0x33}; 217 uint8_t INS4[7] = {'a', 'a', 'a', 0x00, 0x11, 0x22, 0x33}; 218 219 uint8_t INS5[8] = {0x00, 0x11, 0x22, 0x33, 'b', 'b', 'b', 'b'}; 220 uint8_t INS6[8] = {0x00, 0x11, 0x22, 'b', 'b', 'b', 'b', 0x33}; 221 uint8_t INS7[8] = {0x00, 0x11, 'b', 'b', 'b', 'b', 0x22, 0x33}; 222 uint8_t INS8[8] = {0x00, 'b', 'b', 'b', 'b', 0x11, 0x22, 0x33}; 223 uint8_t INS9[8] = {'b', 'b', 'b', 'b', 0x00, 0x11, 0x22, 0x33}; 224 225 for (int i = 0; i < NumIter; i++) { 226 uint8_t T[8] = {0x00, 0x11, 0x22, 0x33}; 227 size_t NewSize = (*MD.*M)(T, 4, 8); 228 if (NewSize == 7 && !memcmp(INS0, T, 7)) FoundMask |= 1 << 0; 229 if (NewSize == 7 && !memcmp(INS1, T, 7)) FoundMask |= 1 << 1; 230 if (NewSize == 7 && !memcmp(INS2, T, 7)) FoundMask |= 1 << 2; 231 if (NewSize == 7 && !memcmp(INS3, T, 7)) FoundMask |= 1 << 3; 232 if (NewSize == 7 && !memcmp(INS4, T, 7)) FoundMask |= 1 << 4; 233 234 if (NewSize == 8 && !memcmp(INS5, T, 8)) FoundMask |= 1 << 5; 235 if (NewSize == 8 && !memcmp(INS6, T, 8)) FoundMask |= 1 << 6; 236 if (NewSize == 8 && !memcmp(INS7, T, 8)) FoundMask |= 1 << 7; 237 if (NewSize == 8 && !memcmp(INS8, T, 8)) FoundMask |= 1 << 8; 238 if (NewSize == 8 && !memcmp(INS9, T, 8)) FoundMask |= 1 << 9; 239 240 } 241 EXPECT_EQ(FoundMask, (1 << 10) - 1); 242 } 243 244 TEST(FuzzerMutate, InsertRepeatedBytes1) { 245 TestInsertRepeatedBytes(&MutationDispatcher::Mutate_InsertRepeatedBytes, 10000); 246 } 247 TEST(FuzzerMutate, InsertRepeatedBytes2) { 248 TestInsertRepeatedBytes(&MutationDispatcher::Mutate, 300000); 249 } 250 251 void TestChangeByte(Mutator M, int NumIter) { 252 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 253 fuzzer::EF = t.get(); 254 Random Rand(0); 255 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 256 int FoundMask = 0; 257 uint8_t CH0[8] = {0xF0, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 258 uint8_t CH1[8] = {0x00, 0xF1, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 259 uint8_t CH2[8] = {0x00, 0x11, 0xF2, 0x33, 0x44, 0x55, 0x66, 0x77}; 260 uint8_t CH3[8] = {0x00, 0x11, 0x22, 0xF3, 0x44, 0x55, 0x66, 0x77}; 261 uint8_t CH4[8] = {0x00, 0x11, 0x22, 0x33, 0xF4, 0x55, 0x66, 0x77}; 262 uint8_t CH5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0xF5, 0x66, 0x77}; 263 uint8_t CH6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0xF5, 0x77}; 264 uint8_t CH7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF7}; 265 for (int i = 0; i < NumIter; i++) { 266 uint8_t T[9] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 267 size_t NewSize = (*MD.*M)(T, 8, 9); 268 if (NewSize == 8 && !memcmp(CH0, T, 8)) FoundMask |= 1 << 0; 269 if (NewSize == 8 && !memcmp(CH1, T, 8)) FoundMask |= 1 << 1; 270 if (NewSize == 8 && !memcmp(CH2, T, 8)) FoundMask |= 1 << 2; 271 if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3; 272 if (NewSize == 8 && !memcmp(CH4, T, 8)) FoundMask |= 1 << 4; 273 if (NewSize == 8 && !memcmp(CH5, T, 8)) FoundMask |= 1 << 5; 274 if (NewSize == 8 && !memcmp(CH6, T, 8)) FoundMask |= 1 << 6; 275 if (NewSize == 8 && !memcmp(CH7, T, 8)) FoundMask |= 1 << 7; 276 } 277 EXPECT_EQ(FoundMask, 255); 278 } 279 280 TEST(FuzzerMutate, ChangeByte1) { 281 TestChangeByte(&MutationDispatcher::Mutate_ChangeByte, 1 << 15); 282 } 283 TEST(FuzzerMutate, ChangeByte2) { 284 TestChangeByte(&MutationDispatcher::Mutate, 1 << 17); 285 } 286 287 void TestChangeBit(Mutator M, int NumIter) { 288 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 289 fuzzer::EF = t.get(); 290 Random Rand(0); 291 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 292 int FoundMask = 0; 293 uint8_t CH0[8] = {0x01, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 294 uint8_t CH1[8] = {0x00, 0x13, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 295 uint8_t CH2[8] = {0x00, 0x11, 0x02, 0x33, 0x44, 0x55, 0x66, 0x77}; 296 uint8_t CH3[8] = {0x00, 0x11, 0x22, 0x37, 0x44, 0x55, 0x66, 0x77}; 297 uint8_t CH4[8] = {0x00, 0x11, 0x22, 0x33, 0x54, 0x55, 0x66, 0x77}; 298 uint8_t CH5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x54, 0x66, 0x77}; 299 uint8_t CH6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x76, 0x77}; 300 uint8_t CH7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF7}; 301 for (int i = 0; i < NumIter; i++) { 302 uint8_t T[9] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 303 size_t NewSize = (*MD.*M)(T, 8, 9); 304 if (NewSize == 8 && !memcmp(CH0, T, 8)) FoundMask |= 1 << 0; 305 if (NewSize == 8 && !memcmp(CH1, T, 8)) FoundMask |= 1 << 1; 306 if (NewSize == 8 && !memcmp(CH2, T, 8)) FoundMask |= 1 << 2; 307 if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3; 308 if (NewSize == 8 && !memcmp(CH4, T, 8)) FoundMask |= 1 << 4; 309 if (NewSize == 8 && !memcmp(CH5, T, 8)) FoundMask |= 1 << 5; 310 if (NewSize == 8 && !memcmp(CH6, T, 8)) FoundMask |= 1 << 6; 311 if (NewSize == 8 && !memcmp(CH7, T, 8)) FoundMask |= 1 << 7; 312 } 313 EXPECT_EQ(FoundMask, 255); 314 } 315 316 TEST(FuzzerMutate, ChangeBit1) { 317 TestChangeBit(&MutationDispatcher::Mutate_ChangeBit, 1 << 16); 318 } 319 TEST(FuzzerMutate, ChangeBit2) { 320 TestChangeBit(&MutationDispatcher::Mutate, 1 << 18); 321 } 322 323 void TestShuffleBytes(Mutator M, int NumIter) { 324 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 325 fuzzer::EF = t.get(); 326 Random Rand(0); 327 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 328 int FoundMask = 0; 329 uint8_t CH0[7] = {0x00, 0x22, 0x11, 0x33, 0x44, 0x55, 0x66}; 330 uint8_t CH1[7] = {0x11, 0x00, 0x33, 0x22, 0x44, 0x55, 0x66}; 331 uint8_t CH2[7] = {0x00, 0x33, 0x11, 0x22, 0x44, 0x55, 0x66}; 332 uint8_t CH3[7] = {0x00, 0x11, 0x22, 0x44, 0x55, 0x66, 0x33}; 333 uint8_t CH4[7] = {0x00, 0x11, 0x22, 0x33, 0x55, 0x44, 0x66}; 334 for (int i = 0; i < NumIter; i++) { 335 uint8_t T[7] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66}; 336 size_t NewSize = (*MD.*M)(T, 7, 7); 337 if (NewSize == 7 && !memcmp(CH0, T, 7)) FoundMask |= 1 << 0; 338 if (NewSize == 7 && !memcmp(CH1, T, 7)) FoundMask |= 1 << 1; 339 if (NewSize == 7 && !memcmp(CH2, T, 7)) FoundMask |= 1 << 2; 340 if (NewSize == 7 && !memcmp(CH3, T, 7)) FoundMask |= 1 << 3; 341 if (NewSize == 7 && !memcmp(CH4, T, 7)) FoundMask |= 1 << 4; 342 } 343 EXPECT_EQ(FoundMask, 31); 344 } 345 346 TEST(FuzzerMutate, ShuffleBytes1) { 347 TestShuffleBytes(&MutationDispatcher::Mutate_ShuffleBytes, 1 << 17); 348 } 349 TEST(FuzzerMutate, ShuffleBytes2) { 350 TestShuffleBytes(&MutationDispatcher::Mutate, 1 << 20); 351 } 352 353 void TestCopyPart(Mutator M, int NumIter) { 354 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 355 fuzzer::EF = t.get(); 356 Random Rand(0); 357 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 358 int FoundMask = 0; 359 uint8_t CH0[7] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x00, 0x11}; 360 uint8_t CH1[7] = {0x55, 0x66, 0x22, 0x33, 0x44, 0x55, 0x66}; 361 uint8_t CH2[7] = {0x00, 0x55, 0x66, 0x33, 0x44, 0x55, 0x66}; 362 uint8_t CH3[7] = {0x00, 0x11, 0x22, 0x00, 0x11, 0x22, 0x66}; 363 uint8_t CH4[7] = {0x00, 0x11, 0x11, 0x22, 0x33, 0x55, 0x66}; 364 365 for (int i = 0; i < NumIter; i++) { 366 uint8_t T[7] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66}; 367 size_t NewSize = (*MD.*M)(T, 7, 7); 368 if (NewSize == 7 && !memcmp(CH0, T, 7)) FoundMask |= 1 << 0; 369 if (NewSize == 7 && !memcmp(CH1, T, 7)) FoundMask |= 1 << 1; 370 if (NewSize == 7 && !memcmp(CH2, T, 7)) FoundMask |= 1 << 2; 371 if (NewSize == 7 && !memcmp(CH3, T, 7)) FoundMask |= 1 << 3; 372 if (NewSize == 7 && !memcmp(CH4, T, 7)) FoundMask |= 1 << 4; 373 } 374 375 uint8_t CH5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x00, 0x11, 0x22}; 376 uint8_t CH6[8] = {0x22, 0x33, 0x44, 0x00, 0x11, 0x22, 0x33, 0x44}; 377 uint8_t CH7[8] = {0x00, 0x11, 0x22, 0x00, 0x11, 0x22, 0x33, 0x44}; 378 uint8_t CH8[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x22, 0x33, 0x44}; 379 uint8_t CH9[8] = {0x00, 0x11, 0x22, 0x22, 0x33, 0x44, 0x33, 0x44}; 380 381 for (int i = 0; i < NumIter; i++) { 382 uint8_t T[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 383 size_t NewSize = (*MD.*M)(T, 5, 8); 384 if (NewSize == 8 && !memcmp(CH5, T, 8)) FoundMask |= 1 << 5; 385 if (NewSize == 8 && !memcmp(CH6, T, 8)) FoundMask |= 1 << 6; 386 if (NewSize == 8 && !memcmp(CH7, T, 8)) FoundMask |= 1 << 7; 387 if (NewSize == 8 && !memcmp(CH8, T, 8)) FoundMask |= 1 << 8; 388 if (NewSize == 8 && !memcmp(CH9, T, 8)) FoundMask |= 1 << 9; 389 } 390 391 EXPECT_EQ(FoundMask, 1023); 392 } 393 394 TEST(FuzzerMutate, CopyPart1) { 395 TestCopyPart(&MutationDispatcher::Mutate_CopyPart, 1 << 10); 396 } 397 TEST(FuzzerMutate, CopyPart2) { 398 TestCopyPart(&MutationDispatcher::Mutate, 1 << 13); 399 } 400 TEST(FuzzerMutate, CopyPartNoInsertAtMaxSize) { 401 // This (non exhaustively) tests if `Mutate_CopyPart` tries to perform an 402 // insert on an input of size `MaxSize`. Performing an insert in this case 403 // will lead to the mutation failing. 404 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 405 fuzzer::EF = t.get(); 406 Random Rand(0); 407 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 408 uint8_t Data[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x00, 0x11, 0x22}; 409 size_t MaxSize = sizeof(Data); 410 for (int count = 0; count < (1 << 18); ++count) { 411 size_t NewSize = MD->Mutate_CopyPart(Data, MaxSize, MaxSize); 412 ASSERT_EQ(NewSize, MaxSize); 413 } 414 } 415 416 void TestAddWordFromDictionary(Mutator M, int NumIter) { 417 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 418 fuzzer::EF = t.get(); 419 Random Rand(0); 420 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 421 uint8_t Word1[4] = {0xAA, 0xBB, 0xCC, 0xDD}; 422 uint8_t Word2[3] = {0xFF, 0xEE, 0xEF}; 423 MD->AddWordToManualDictionary(Word(Word1, sizeof(Word1))); 424 MD->AddWordToManualDictionary(Word(Word2, sizeof(Word2))); 425 int FoundMask = 0; 426 uint8_t CH0[7] = {0x00, 0x11, 0x22, 0xAA, 0xBB, 0xCC, 0xDD}; 427 uint8_t CH1[7] = {0x00, 0x11, 0xAA, 0xBB, 0xCC, 0xDD, 0x22}; 428 uint8_t CH2[7] = {0x00, 0xAA, 0xBB, 0xCC, 0xDD, 0x11, 0x22}; 429 uint8_t CH3[7] = {0xAA, 0xBB, 0xCC, 0xDD, 0x00, 0x11, 0x22}; 430 uint8_t CH4[6] = {0x00, 0x11, 0x22, 0xFF, 0xEE, 0xEF}; 431 uint8_t CH5[6] = {0x00, 0x11, 0xFF, 0xEE, 0xEF, 0x22}; 432 uint8_t CH6[6] = {0x00, 0xFF, 0xEE, 0xEF, 0x11, 0x22}; 433 uint8_t CH7[6] = {0xFF, 0xEE, 0xEF, 0x00, 0x11, 0x22}; 434 for (int i = 0; i < NumIter; i++) { 435 uint8_t T[7] = {0x00, 0x11, 0x22}; 436 size_t NewSize = (*MD.*M)(T, 3, 7); 437 if (NewSize == 7 && !memcmp(CH0, T, 7)) FoundMask |= 1 << 0; 438 if (NewSize == 7 && !memcmp(CH1, T, 7)) FoundMask |= 1 << 1; 439 if (NewSize == 7 && !memcmp(CH2, T, 7)) FoundMask |= 1 << 2; 440 if (NewSize == 7 && !memcmp(CH3, T, 7)) FoundMask |= 1 << 3; 441 if (NewSize == 6 && !memcmp(CH4, T, 6)) FoundMask |= 1 << 4; 442 if (NewSize == 6 && !memcmp(CH5, T, 6)) FoundMask |= 1 << 5; 443 if (NewSize == 6 && !memcmp(CH6, T, 6)) FoundMask |= 1 << 6; 444 if (NewSize == 6 && !memcmp(CH7, T, 6)) FoundMask |= 1 << 7; 445 } 446 EXPECT_EQ(FoundMask, 255); 447 } 448 449 TEST(FuzzerMutate, AddWordFromDictionary1) { 450 TestAddWordFromDictionary( 451 &MutationDispatcher::Mutate_AddWordFromManualDictionary, 1 << 15); 452 } 453 454 TEST(FuzzerMutate, AddWordFromDictionary2) { 455 TestAddWordFromDictionary(&MutationDispatcher::Mutate, 1 << 15); 456 } 457 458 void TestChangeASCIIInteger(Mutator M, int NumIter) { 459 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 460 fuzzer::EF = t.get(); 461 Random Rand(0); 462 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 463 464 uint8_t CH0[8] = {'1', '2', '3', '4', '5', '6', '7', '7'}; 465 uint8_t CH1[8] = {'1', '2', '3', '4', '5', '6', '7', '9'}; 466 uint8_t CH2[8] = {'2', '4', '6', '9', '1', '3', '5', '6'}; 467 uint8_t CH3[8] = {'0', '6', '1', '7', '2', '8', '3', '9'}; 468 int FoundMask = 0; 469 for (int i = 0; i < NumIter; i++) { 470 uint8_t T[8] = {'1', '2', '3', '4', '5', '6', '7', '8'}; 471 size_t NewSize = (*MD.*M)(T, 8, 8); 472 /**/ if (NewSize == 8 && !memcmp(CH0, T, 8)) FoundMask |= 1 << 0; 473 else if (NewSize == 8 && !memcmp(CH1, T, 8)) FoundMask |= 1 << 1; 474 else if (NewSize == 8 && !memcmp(CH2, T, 8)) FoundMask |= 1 << 2; 475 else if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3; 476 else if (NewSize == 8) FoundMask |= 1 << 4; 477 } 478 EXPECT_EQ(FoundMask, 31); 479 } 480 481 TEST(FuzzerMutate, ChangeASCIIInteger1) { 482 TestChangeASCIIInteger(&MutationDispatcher::Mutate_ChangeASCIIInteger, 483 1 << 15); 484 } 485 486 TEST(FuzzerMutate, ChangeASCIIInteger2) { 487 TestChangeASCIIInteger(&MutationDispatcher::Mutate, 1 << 15); 488 } 489 490 void TestChangeBinaryInteger(Mutator M, int NumIter) { 491 std::unique_ptr<ExternalFunctions> t(new ExternalFunctions()); 492 fuzzer::EF = t.get(); 493 Random Rand(0); 494 std::unique_ptr<MutationDispatcher> MD(new MutationDispatcher(Rand, {})); 495 496 uint8_t CH0[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x79}; 497 uint8_t CH1[8] = {0x00, 0x11, 0x22, 0x31, 0x44, 0x55, 0x66, 0x77}; 498 uint8_t CH2[8] = {0xff, 0x10, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 499 uint8_t CH3[8] = {0x00, 0x11, 0x2a, 0x33, 0x44, 0x55, 0x66, 0x77}; 500 uint8_t CH4[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x4f, 0x66, 0x77}; 501 uint8_t CH5[8] = {0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88}; 502 uint8_t CH6[8] = {0x00, 0x11, 0x22, 0x00, 0x00, 0x00, 0x08, 0x77}; // Size 503 uint8_t CH7[8] = {0x00, 0x08, 0x00, 0x33, 0x44, 0x55, 0x66, 0x77}; // Sw(Size) 504 505 int FoundMask = 0; 506 for (int i = 0; i < NumIter; i++) { 507 uint8_t T[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77}; 508 size_t NewSize = (*MD.*M)(T, 8, 8); 509 /**/ if (NewSize == 8 && !memcmp(CH0, T, 8)) FoundMask |= 1 << 0; 510 else if (NewSize == 8 && !memcmp(CH1, T, 8)) FoundMask |= 1 << 1; 511 else if (NewSize == 8 && !memcmp(CH2, T, 8)) FoundMask |= 1 << 2; 512 else if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3; 513 else if (NewSize == 8 && !memcmp(CH4, T, 8)) FoundMask |= 1 << 4; 514 else if (NewSize == 8 && !memcmp(CH5, T, 8)) FoundMask |= 1 << 5; 515 else if (NewSize == 8 && !memcmp(CH6, T, 8)) FoundMask |= 1 << 6; 516 else if (NewSize == 8 && !memcmp(CH7, T, 8)) FoundMask |= 1 << 7; 517 } 518 EXPECT_EQ(FoundMask, 255); 519 } 520 521 TEST(FuzzerMutate, ChangeBinaryInteger1) { 522 TestChangeBinaryInteger(&MutationDispatcher::Mutate_ChangeBinaryInteger, 523 1 << 12); 524 } 525 526 TEST(FuzzerMutate, ChangeBinaryInteger2) { 527 TestChangeBinaryInteger(&MutationDispatcher::Mutate, 1 << 15); 528 } 529 530 531 TEST(FuzzerDictionary, ParseOneDictionaryEntry) { 532 Unit U; 533 EXPECT_FALSE(ParseOneDictionaryEntry("", &U)); 534 EXPECT_FALSE(ParseOneDictionaryEntry(" ", &U)); 535 EXPECT_FALSE(ParseOneDictionaryEntry("\t ", &U)); 536 EXPECT_FALSE(ParseOneDictionaryEntry(" \" ", &U)); 537 EXPECT_FALSE(ParseOneDictionaryEntry(" zz\" ", &U)); 538 EXPECT_FALSE(ParseOneDictionaryEntry(" \"zz ", &U)); 539 EXPECT_FALSE(ParseOneDictionaryEntry(" \"\" ", &U)); 540 EXPECT_TRUE(ParseOneDictionaryEntry("\"a\"", &U)); 541 EXPECT_EQ(U, Unit({'a'})); 542 EXPECT_TRUE(ParseOneDictionaryEntry("\"abc\"", &U)); 543 EXPECT_EQ(U, Unit({'a', 'b', 'c'})); 544 EXPECT_TRUE(ParseOneDictionaryEntry("abc=\"abc\"", &U)); 545 EXPECT_EQ(U, Unit({'a', 'b', 'c'})); 546 EXPECT_FALSE(ParseOneDictionaryEntry("\"\\\"", &U)); 547 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\\\"", &U)); 548 EXPECT_EQ(U, Unit({'\\'})); 549 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\xAB\"", &U)); 550 EXPECT_EQ(U, Unit({0xAB})); 551 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\xABz\\xDE\"", &U)); 552 EXPECT_EQ(U, Unit({0xAB, 'z', 0xDE})); 553 EXPECT_TRUE(ParseOneDictionaryEntry("\"#\"", &U)); 554 EXPECT_EQ(U, Unit({'#'})); 555 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\"\"", &U)); 556 EXPECT_EQ(U, Unit({'"'})); 557 } 558 559 TEST(FuzzerDictionary, ParseDictionaryFile) { 560 Vector<Unit> Units; 561 EXPECT_FALSE(ParseDictionaryFile("zzz\n", &Units)); 562 EXPECT_FALSE(ParseDictionaryFile("", &Units)); 563 EXPECT_TRUE(ParseDictionaryFile("\n", &Units)); 564 EXPECT_EQ(Units.size(), 0U); 565 EXPECT_TRUE(ParseDictionaryFile("#zzzz a b c d\n", &Units)); 566 EXPECT_EQ(Units.size(), 0U); 567 EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units)); 568 EXPECT_EQ(Units.size(), 0U); 569 EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units)); 570 EXPECT_EQ(Units.size(), 0U); 571 EXPECT_TRUE(ParseDictionaryFile(" #zzzz\naaa=\"aa\"", &Units)); 572 EXPECT_EQ(Units, Vector<Unit>({Unit({'a', 'a'})})); 573 EXPECT_TRUE( 574 ParseDictionaryFile(" #zzzz\naaa=\"aa\"\n\nabc=\"abc\"", &Units)); 575 EXPECT_EQ(Units, 576 Vector<Unit>({Unit({'a', 'a'}), Unit({'a', 'b', 'c'})})); 577 } 578 579 TEST(FuzzerUtil, Base64) { 580 EXPECT_EQ("", Base64({})); 581 EXPECT_EQ("YQ==", Base64({'a'})); 582 EXPECT_EQ("eA==", Base64({'x'})); 583 EXPECT_EQ("YWI=", Base64({'a', 'b'})); 584 EXPECT_EQ("eHk=", Base64({'x', 'y'})); 585 EXPECT_EQ("YWJj", Base64({'a', 'b', 'c'})); 586 EXPECT_EQ("eHl6", Base64({'x', 'y', 'z'})); 587 EXPECT_EQ("YWJjeA==", Base64({'a', 'b', 'c', 'x'})); 588 EXPECT_EQ("YWJjeHk=", Base64({'a', 'b', 'c', 'x', 'y'})); 589 EXPECT_EQ("YWJjeHl6", Base64({'a', 'b', 'c', 'x', 'y', 'z'})); 590 } 591 592 TEST(Corpus, Distribution) { 593 DataFlowTrace DFT; 594 Random Rand(0); 595 std::unique_ptr<InputCorpus> C(new InputCorpus("")); 596 size_t N = 10; 597 size_t TriesPerUnit = 1<<16; 598 for (size_t i = 0; i < N; i++) 599 C->AddToCorpus(Unit{static_cast<uint8_t>(i)}, 1, false, false, {}, DFT, 600 nullptr); 601 602 Vector<size_t> Hist(N); 603 for (size_t i = 0; i < N * TriesPerUnit; i++) { 604 Hist[C->ChooseUnitIdxToMutate(Rand)]++; 605 } 606 for (size_t i = 0; i < N; i++) { 607 // A weak sanity check that every unit gets invoked. 608 EXPECT_GT(Hist[i], TriesPerUnit / N / 3); 609 } 610 } 611 612 TEST(Merge, Bad) { 613 const char *kInvalidInputs[] = { 614 "", 615 "x", 616 "3\nx", 617 "2\n3", 618 "2\n2", 619 "2\n2\nA\n", 620 "2\n2\nA\nB\nC\n", 621 "0\n0\n", 622 "1\n1\nA\nFT 0", 623 "1\n1\nA\nSTARTED 1", 624 }; 625 Merger M; 626 for (auto S : kInvalidInputs) { 627 // fprintf(stderr, "TESTING:\n%s\n", S); 628 EXPECT_FALSE(M.Parse(S, false)); 629 } 630 } 631 632 void EQ(const Vector<uint32_t> &A, const Vector<uint32_t> &B) { 633 EXPECT_EQ(A, B); 634 } 635 636 void EQ(const Vector<std::string> &A, const Vector<std::string> &B) { 637 Set<std::string> a(A.begin(), A.end()); 638 Set<std::string> b(B.begin(), B.end()); 639 EXPECT_EQ(a, b); 640 } 641 642 static void Merge(const std::string &Input, 643 const Vector<std::string> Result, 644 size_t NumNewFeatures) { 645 Merger M; 646 Vector<std::string> NewFiles; 647 Set<uint32_t> NewFeatures, NewCov; 648 EXPECT_TRUE(M.Parse(Input, true)); 649 EXPECT_EQ(NumNewFeatures, M.Merge({}, &NewFeatures, {}, &NewCov, &NewFiles)); 650 EQ(NewFiles, Result); 651 } 652 653 TEST(Merge, Good) { 654 Merger M; 655 656 EXPECT_TRUE(M.Parse("1\n0\nAA\n", false)); 657 EXPECT_EQ(M.Files.size(), 1U); 658 EXPECT_EQ(M.NumFilesInFirstCorpus, 0U); 659 EXPECT_EQ(M.Files[0].Name, "AA"); 660 EXPECT_TRUE(M.LastFailure.empty()); 661 EXPECT_EQ(M.FirstNotProcessedFile, 0U); 662 663 EXPECT_TRUE(M.Parse("2\n1\nAA\nBB\nSTARTED 0 42\n", false)); 664 EXPECT_EQ(M.Files.size(), 2U); 665 EXPECT_EQ(M.NumFilesInFirstCorpus, 1U); 666 EXPECT_EQ(M.Files[0].Name, "AA"); 667 EXPECT_EQ(M.Files[1].Name, "BB"); 668 EXPECT_EQ(M.LastFailure, "AA"); 669 EXPECT_EQ(M.FirstNotProcessedFile, 1U); 670 671 EXPECT_TRUE(M.Parse("3\n1\nAA\nBB\nC\n" 672 "STARTED 0 1000\n" 673 "FT 0 1 2 3\n" 674 "STARTED 1 1001\n" 675 "FT 1 4 5 6 \n" 676 "STARTED 2 1002\n" 677 "", true)); 678 EXPECT_EQ(M.Files.size(), 3U); 679 EXPECT_EQ(M.NumFilesInFirstCorpus, 1U); 680 EXPECT_EQ(M.Files[0].Name, "AA"); 681 EXPECT_EQ(M.Files[0].Size, 1000U); 682 EXPECT_EQ(M.Files[1].Name, "BB"); 683 EXPECT_EQ(M.Files[1].Size, 1001U); 684 EXPECT_EQ(M.Files[2].Name, "C"); 685 EXPECT_EQ(M.Files[2].Size, 1002U); 686 EXPECT_EQ(M.LastFailure, "C"); 687 EXPECT_EQ(M.FirstNotProcessedFile, 3U); 688 EQ(M.Files[0].Features, {1, 2, 3}); 689 EQ(M.Files[1].Features, {4, 5, 6}); 690 691 692 Vector<std::string> NewFiles; 693 Set<uint32_t> NewFeatures, NewCov; 694 695 EXPECT_TRUE(M.Parse("3\n2\nAA\nBB\nC\n" 696 "STARTED 0 1000\nFT 0 1 2 3\n" 697 "STARTED 1 1001\nFT 1 4 5 6 \n" 698 "STARTED 2 1002\nFT 2 6 1 3 \n" 699 "", true)); 700 EXPECT_EQ(M.Files.size(), 3U); 701 EXPECT_EQ(M.NumFilesInFirstCorpus, 2U); 702 EXPECT_TRUE(M.LastFailure.empty()); 703 EXPECT_EQ(M.FirstNotProcessedFile, 3U); 704 EQ(M.Files[0].Features, {1, 2, 3}); 705 EQ(M.Files[1].Features, {4, 5, 6}); 706 EQ(M.Files[2].Features, {1, 3, 6}); 707 EXPECT_EQ(0U, M.Merge({}, &NewFeatures, {}, &NewCov, &NewFiles)); 708 EQ(NewFiles, {}); 709 710 EXPECT_TRUE(M.Parse("3\n1\nA\nB\nC\n" 711 "STARTED 0 1000\nFT 0 1 2 3\n" 712 "STARTED 1 1001\nFT 1 4 5 6 \n" 713 "STARTED 2 1002\nFT 2 6 1 3\n" 714 "", true)); 715 EQ(M.Files[0].Features, {1, 2, 3}); 716 EQ(M.Files[1].Features, {4, 5, 6}); 717 EQ(M.Files[2].Features, {1, 3, 6}); 718 EXPECT_EQ(3U, M.Merge({}, &NewFeatures, {}, &NewCov, &NewFiles)); 719 EQ(NewFiles, {"B"}); 720 721 // Same as the above, but with InitialFeatures. 722 EXPECT_TRUE(M.Parse("2\n0\nB\nC\n" 723 "STARTED 0 1001\nFT 0 4 5 6 \n" 724 "STARTED 1 1002\nFT 1 6 1 3\n" 725 "", true)); 726 EQ(M.Files[0].Features, {4, 5, 6}); 727 EQ(M.Files[1].Features, {1, 3, 6}); 728 Set<uint32_t> InitialFeatures; 729 InitialFeatures.insert(1); 730 InitialFeatures.insert(2); 731 InitialFeatures.insert(3); 732 EXPECT_EQ(3U, M.Merge(InitialFeatures, &NewFeatures, {}, &NewCov, &NewFiles)); 733 EQ(NewFiles, {"B"}); 734 } 735 736 TEST(Merge, Merge) { 737 738 Merge("3\n1\nA\nB\nC\n" 739 "STARTED 0 1000\nFT 0 1 2 3\n" 740 "STARTED 1 1001\nFT 1 4 5 6 \n" 741 "STARTED 2 1002\nFT 2 6 1 3 \n", 742 {"B"}, 3); 743 744 Merge("3\n0\nA\nB\nC\n" 745 "STARTED 0 2000\nFT 0 1 2 3\n" 746 "STARTED 1 1001\nFT 1 4 5 6 \n" 747 "STARTED 2 1002\nFT 2 6 1 3 \n", 748 {"A", "B", "C"}, 6); 749 750 Merge("4\n0\nA\nB\nC\nD\n" 751 "STARTED 0 2000\nFT 0 1 2 3\n" 752 "STARTED 1 1101\nFT 1 4 5 6 \n" 753 "STARTED 2 1102\nFT 2 6 1 3 100 \n" 754 "STARTED 3 1000\nFT 3 1 \n", 755 {"A", "B", "C", "D"}, 7); 756 757 Merge("4\n1\nA\nB\nC\nD\n" 758 "STARTED 0 2000\nFT 0 4 5 6 7 8\n" 759 "STARTED 1 1100\nFT 1 1 2 3 \n" 760 "STARTED 2 1100\nFT 2 2 3 \n" 761 "STARTED 3 1000\nFT 3 1 \n", 762 {"B", "D"}, 3); 763 } 764 765 TEST(DFT, BlockCoverage) { 766 BlockCoverage Cov; 767 // Assuming C0 has 5 instrumented blocks, 768 // C1: 7 blocks, C2: 4, C3: 9, C4 never covered, C5: 15, 769 770 // Add C0 771 EXPECT_TRUE(Cov.AppendCoverage("C0 5\n")); 772 EXPECT_EQ(Cov.GetCounter(0, 0), 1U); 773 EXPECT_EQ(Cov.GetCounter(0, 1), 0U); // not seen this BB yet. 774 EXPECT_EQ(Cov.GetCounter(0, 5), 0U); // BB ID out of bounds. 775 EXPECT_EQ(Cov.GetCounter(1, 0), 0U); // not seen this function yet. 776 777 EXPECT_EQ(Cov.GetNumberOfBlocks(0), 5U); 778 EXPECT_EQ(Cov.GetNumberOfCoveredBlocks(0), 1U); 779 EXPECT_EQ(Cov.GetNumberOfBlocks(1), 0U); 780 781 // Various errors. 782 EXPECT_FALSE(Cov.AppendCoverage("C0\n")); // No total number. 783 EXPECT_FALSE(Cov.AppendCoverage("C0 7\n")); // No total number. 784 EXPECT_FALSE(Cov.AppendCoverage("CZ\n")); // Wrong function number. 785 EXPECT_FALSE(Cov.AppendCoverage("C1 7 7")); // BB ID is too big. 786 EXPECT_FALSE(Cov.AppendCoverage("C1 100 7")); // BB ID is too big. 787 788 // Add C0 more times. 789 EXPECT_TRUE(Cov.AppendCoverage("C0 5\n")); 790 EXPECT_EQ(Cov.GetCounter(0, 0), 2U); 791 EXPECT_TRUE(Cov.AppendCoverage("C0 1 2 5\n")); 792 EXPECT_EQ(Cov.GetCounter(0, 0), 3U); 793 EXPECT_EQ(Cov.GetCounter(0, 1), 1U); 794 EXPECT_EQ(Cov.GetCounter(0, 2), 1U); 795 EXPECT_EQ(Cov.GetCounter(0, 3), 0U); 796 EXPECT_EQ(Cov.GetCounter(0, 4), 0U); 797 EXPECT_EQ(Cov.GetNumberOfCoveredBlocks(0), 3U); 798 EXPECT_TRUE(Cov.AppendCoverage("C0 1 3 4 5\n")); 799 EXPECT_EQ(Cov.GetCounter(0, 0), 4U); 800 EXPECT_EQ(Cov.GetCounter(0, 1), 2U); 801 EXPECT_EQ(Cov.GetCounter(0, 2), 1U); 802 EXPECT_EQ(Cov.GetCounter(0, 3), 1U); 803 EXPECT_EQ(Cov.GetCounter(0, 4), 1U); 804 EXPECT_EQ(Cov.GetNumberOfCoveredBlocks(0), 5U); 805 806 EXPECT_TRUE(Cov.AppendCoverage("C1 7\nC2 4\nC3 9\nC5 15\nC0 5\n")); 807 EXPECT_EQ(Cov.GetCounter(0, 0), 5U); 808 EXPECT_EQ(Cov.GetCounter(1, 0), 1U); 809 EXPECT_EQ(Cov.GetCounter(2, 0), 1U); 810 EXPECT_EQ(Cov.GetCounter(3, 0), 1U); 811 EXPECT_EQ(Cov.GetCounter(4, 0), 0U); 812 EXPECT_EQ(Cov.GetCounter(5, 0), 1U); 813 814 EXPECT_TRUE(Cov.AppendCoverage("C3 4 5 9\nC5 11 12 15")); 815 EXPECT_EQ(Cov.GetCounter(0, 0), 5U); 816 EXPECT_EQ(Cov.GetCounter(1, 0), 1U); 817 EXPECT_EQ(Cov.GetCounter(2, 0), 1U); 818 EXPECT_EQ(Cov.GetCounter(3, 0), 2U); 819 EXPECT_EQ(Cov.GetCounter(3, 4), 1U); 820 EXPECT_EQ(Cov.GetCounter(3, 5), 1U); 821 EXPECT_EQ(Cov.GetCounter(3, 6), 0U); 822 EXPECT_EQ(Cov.GetCounter(4, 0), 0U); 823 EXPECT_EQ(Cov.GetCounter(5, 0), 2U); 824 EXPECT_EQ(Cov.GetCounter(5, 10), 0U); 825 EXPECT_EQ(Cov.GetCounter(5, 11), 1U); 826 EXPECT_EQ(Cov.GetCounter(5, 12), 1U); 827 } 828 829 TEST(DFT, FunctionWeights) { 830 BlockCoverage Cov; 831 // unused function gets zero weight. 832 EXPECT_TRUE(Cov.AppendCoverage("C0 5\n")); 833 auto Weights = Cov.FunctionWeights(2); 834 EXPECT_GT(Weights[0], 0.); 835 EXPECT_EQ(Weights[1], 0.); 836 837 // Less frequently used function gets less weight. 838 Cov.clear(); 839 EXPECT_TRUE(Cov.AppendCoverage("C0 5\nC1 5\nC1 5\n")); 840 Weights = Cov.FunctionWeights(2); 841 EXPECT_GT(Weights[0], Weights[1]); 842 843 // A function with more uncovered blocks gets more weight. 844 Cov.clear(); 845 EXPECT_TRUE(Cov.AppendCoverage("C0 1 2 3 5\nC1 2 4\n")); 846 Weights = Cov.FunctionWeights(2); 847 EXPECT_GT(Weights[1], Weights[0]); 848 849 // A function with DFT gets more weight than the function w/o DFT. 850 Cov.clear(); 851 EXPECT_TRUE(Cov.AppendCoverage("F1 111\nC0 3\nC1 1 2 3\n")); 852 Weights = Cov.FunctionWeights(2); 853 EXPECT_GT(Weights[1], Weights[0]); 854 } 855 856 857 TEST(Fuzzer, ForEachNonZeroByte) { 858 const size_t N = 64; 859 alignas(64) uint8_t Ar[N + 8] = { 860 0, 0, 0, 0, 0, 0, 0, 0, 861 1, 2, 0, 0, 0, 0, 0, 0, 862 0, 0, 3, 0, 4, 0, 0, 0, 863 0, 0, 0, 0, 0, 0, 0, 0, 864 0, 0, 0, 5, 0, 6, 0, 0, 865 0, 0, 0, 0, 0, 0, 7, 0, 866 0, 0, 0, 0, 0, 0, 0, 0, 867 0, 0, 0, 0, 0, 0, 0, 8, 868 9, 9, 9, 9, 9, 9, 9, 9, 869 }; 870 typedef Vector<std::pair<size_t, uint8_t> > Vec; 871 Vec Res, Expected; 872 auto CB = [&](size_t FirstFeature, size_t Idx, uint8_t V) { 873 Res.push_back({FirstFeature + Idx, V}); 874 }; 875 ForEachNonZeroByte(Ar, Ar + N, 100, CB); 876 Expected = {{108, 1}, {109, 2}, {118, 3}, {120, 4}, 877 {135, 5}, {137, 6}, {146, 7}, {163, 8}}; 878 EXPECT_EQ(Res, Expected); 879 880 Res.clear(); 881 ForEachNonZeroByte(Ar + 9, Ar + N, 109, CB); 882 Expected = { {109, 2}, {118, 3}, {120, 4}, 883 {135, 5}, {137, 6}, {146, 7}, {163, 8}}; 884 EXPECT_EQ(Res, Expected); 885 886 Res.clear(); 887 ForEachNonZeroByte(Ar + 9, Ar + N - 9, 109, CB); 888 Expected = { {109, 2}, {118, 3}, {120, 4}, 889 {135, 5}, {137, 6}, {146, 7}}; 890 EXPECT_EQ(Res, Expected); 891 } 892 893 // FuzzerCommand unit tests. The arguments in the two helper methods below must 894 // match. 895 static void makeCommandArgs(Vector<std::string> *ArgsToAdd) { 896 assert(ArgsToAdd); 897 ArgsToAdd->clear(); 898 ArgsToAdd->push_back("foo"); 899 ArgsToAdd->push_back("-bar=baz"); 900 ArgsToAdd->push_back("qux"); 901 ArgsToAdd->push_back(Command::ignoreRemainingArgs()); 902 ArgsToAdd->push_back("quux"); 903 ArgsToAdd->push_back("-grault=garply"); 904 } 905 906 static std::string makeCmdLine(const char *separator, const char *suffix) { 907 std::string CmdLine("foo -bar=baz qux "); 908 if (strlen(separator) != 0) { 909 CmdLine += separator; 910 CmdLine += " "; 911 } 912 CmdLine += Command::ignoreRemainingArgs(); 913 CmdLine += " quux -grault=garply"; 914 if (strlen(suffix) != 0) { 915 CmdLine += " "; 916 CmdLine += suffix; 917 } 918 return CmdLine; 919 } 920 921 TEST(FuzzerCommand, Create) { 922 std::string CmdLine; 923 924 // Default constructor 925 Command DefaultCmd; 926 927 CmdLine = DefaultCmd.toString(); 928 EXPECT_EQ(CmdLine, ""); 929 930 // Explicit constructor 931 Vector<std::string> ArgsToAdd; 932 makeCommandArgs(&ArgsToAdd); 933 Command InitializedCmd(ArgsToAdd); 934 935 CmdLine = InitializedCmd.toString(); 936 EXPECT_EQ(CmdLine, makeCmdLine("", "")); 937 938 // Compare each argument 939 auto InitializedArgs = InitializedCmd.getArguments(); 940 auto i = ArgsToAdd.begin(); 941 auto j = InitializedArgs.begin(); 942 while (i != ArgsToAdd.end() && j != InitializedArgs.end()) { 943 EXPECT_EQ(*i++, *j++); 944 } 945 EXPECT_EQ(i, ArgsToAdd.end()); 946 EXPECT_EQ(j, InitializedArgs.end()); 947 948 // Copy constructor 949 Command CopiedCmd(InitializedCmd); 950 951 CmdLine = CopiedCmd.toString(); 952 EXPECT_EQ(CmdLine, makeCmdLine("", "")); 953 954 // Assignment operator 955 Command AssignedCmd; 956 AssignedCmd = CopiedCmd; 957 958 CmdLine = AssignedCmd.toString(); 959 EXPECT_EQ(CmdLine, makeCmdLine("", "")); 960 } 961 962 TEST(FuzzerCommand, ModifyArguments) { 963 Vector<std::string> ArgsToAdd; 964 makeCommandArgs(&ArgsToAdd); 965 Command Cmd; 966 std::string CmdLine; 967 968 Cmd.addArguments(ArgsToAdd); 969 CmdLine = Cmd.toString(); 970 EXPECT_EQ(CmdLine, makeCmdLine("", "")); 971 972 Cmd.addArgument("waldo"); 973 EXPECT_TRUE(Cmd.hasArgument("waldo")); 974 975 CmdLine = Cmd.toString(); 976 EXPECT_EQ(CmdLine, makeCmdLine("waldo", "")); 977 978 Cmd.removeArgument("waldo"); 979 EXPECT_FALSE(Cmd.hasArgument("waldo")); 980 981 CmdLine = Cmd.toString(); 982 EXPECT_EQ(CmdLine, makeCmdLine("", "")); 983 } 984 985 TEST(FuzzerCommand, ModifyFlags) { 986 Vector<std::string> ArgsToAdd; 987 makeCommandArgs(&ArgsToAdd); 988 Command Cmd(ArgsToAdd); 989 std::string Value, CmdLine; 990 ASSERT_FALSE(Cmd.hasFlag("fred")); 991 992 Value = Cmd.getFlagValue("fred"); 993 EXPECT_EQ(Value, ""); 994 995 CmdLine = Cmd.toString(); 996 EXPECT_EQ(CmdLine, makeCmdLine("", "")); 997 998 Cmd.addFlag("fred", "plugh"); 999 EXPECT_TRUE(Cmd.hasFlag("fred")); 1000 1001 Value = Cmd.getFlagValue("fred"); 1002 EXPECT_EQ(Value, "plugh"); 1003 1004 CmdLine = Cmd.toString(); 1005 EXPECT_EQ(CmdLine, makeCmdLine("-fred=plugh", "")); 1006 1007 Cmd.removeFlag("fred"); 1008 EXPECT_FALSE(Cmd.hasFlag("fred")); 1009 1010 Value = Cmd.getFlagValue("fred"); 1011 EXPECT_EQ(Value, ""); 1012 1013 CmdLine = Cmd.toString(); 1014 EXPECT_EQ(CmdLine, makeCmdLine("", "")); 1015 } 1016 1017 TEST(FuzzerCommand, SetOutput) { 1018 Vector<std::string> ArgsToAdd; 1019 makeCommandArgs(&ArgsToAdd); 1020 Command Cmd(ArgsToAdd); 1021 std::string CmdLine; 1022 ASSERT_FALSE(Cmd.hasOutputFile()); 1023 ASSERT_FALSE(Cmd.isOutAndErrCombined()); 1024 1025 Cmd.combineOutAndErr(true); 1026 EXPECT_TRUE(Cmd.isOutAndErrCombined()); 1027 1028 CmdLine = Cmd.toString(); 1029 EXPECT_EQ(CmdLine, makeCmdLine("", "2>&1")); 1030 1031 Cmd.combineOutAndErr(false); 1032 EXPECT_FALSE(Cmd.isOutAndErrCombined()); 1033 1034 Cmd.setOutputFile("xyzzy"); 1035 EXPECT_TRUE(Cmd.hasOutputFile()); 1036 1037 CmdLine = Cmd.toString(); 1038 EXPECT_EQ(CmdLine, makeCmdLine("", ">xyzzy")); 1039 1040 Cmd.setOutputFile("thud"); 1041 EXPECT_TRUE(Cmd.hasOutputFile()); 1042 1043 CmdLine = Cmd.toString(); 1044 EXPECT_EQ(CmdLine, makeCmdLine("", ">thud")); 1045 1046 Cmd.combineOutAndErr(); 1047 EXPECT_TRUE(Cmd.isOutAndErrCombined()); 1048 1049 CmdLine = Cmd.toString(); 1050 EXPECT_EQ(CmdLine, makeCmdLine("", ">thud 2>&1")); 1051 } 1052 1053 int main(int argc, char **argv) { 1054 testing::InitGoogleTest(&argc, argv); 1055 return RUN_ALL_TESTS(); 1056 } 1057