tools/ipc_fuzzer/fuzzer/fuzzer.h

   1 // Copyright 2015 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_
   6 #define TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_
   7
   8 #include <string>
   9 #include <vector>
  10
  11 #include "base/basictypes.h"
  12 #include "base/strings/string_util.h"
  13 #include "ipc/ipc_message.h"
  14
  15 namespace ipc_fuzzer {
  16
  17 // Interface implemented by those who generate basic types.  The types all
  18 // correspond to the types which a pickle from base/pickle.h can pickle,
  19 // plus the floating point types.
  20 class Fuzzer {
  21  public:
  22   // Functions for various data types.
  23   virtual void FuzzBool(bool* value) = 0;
  24   virtual void FuzzInt(int* value) = 0;
  25   virtual void FuzzLong(long* value) = 0;
  26   virtual void FuzzSize(size_t* value) = 0;
  27   virtual void FuzzUChar(unsigned char* value) = 0;
  28   virtual void FuzzWChar(wchar_t* value) = 0;
  29   virtual void FuzzUInt16(uint16* value) = 0;
  30   virtual void FuzzUInt32(uint32* value) = 0;
  31   virtual void FuzzInt64(int64* value) = 0;
  32   virtual void FuzzUInt64(uint64* value) = 0;
  33   virtual void FuzzFloat(float* value) = 0;
  34   virtual void FuzzDouble(double *value) = 0;
  35   virtual void FuzzString(std::string* value) = 0;
  36   virtual void FuzzString16(base::string16* value) = 0;
  37   virtual void FuzzData(char* data, int length) = 0;
  38   virtual void FuzzBytes(void* data, int data_len) = 0;
  39
  40   // Used to determine if a completely new value should be generated for
  41   // certain types instead of attempting to modify the existing one.
  42   virtual bool ShouldGenerate();
  43 };
  44
  45 class NoOpFuzzer : public Fuzzer {
  46  public:
  47   NoOpFuzzer() {}
  48   virtual ~NoOpFuzzer() {}
  49
  50   void FuzzBool(bool* value) override {}
  51   void FuzzInt(int* value) override {}
  52   void FuzzLong(long* value) override {}
  53   void FuzzSize(size_t* value) override {}
  54   void FuzzUChar(unsigned char* value) override {}
  55   void FuzzWChar(wchar_t* value) override {}
  56   void FuzzUInt16(uint16* value) override {}
  57   void FuzzUInt32(uint32* value) override {}
  58   void FuzzInt64(int64* value) override {}
  59   void FuzzUInt64(uint64* value) override {}
  60   void FuzzFloat(float* value) override {}
  61   void FuzzDouble(double* value) override {}
  62   void FuzzString(std::string* value) override {}
  63   void FuzzString16(base::string16* value) override {}
  64   void FuzzData(char* data, int length) override {}
  65   void FuzzBytes(void* data, int data_len) override {}
  66 };
  67
  68 typedef IPC::Message* (*FuzzerFunction)(IPC::Message*, Fuzzer*);
  69
  70 // Used for mutating messages. Once populated, the map associates a message ID
  71 // with a FuzzerFunction used for mutation of that message type.
  72 typedef base::hash_map<uint32, FuzzerFunction> FuzzerFunctionMap;
  73 void PopulateFuzzerFunctionMap(FuzzerFunctionMap* map);
  74
  75 // Used for generating new messages. Once populated, the vector contains
  76 // FuzzerFunctions for all message types that we know how to generate.
  77 typedef std::vector<FuzzerFunction> FuzzerFunctionVector;
  78 void PopulateFuzzerFunctionVector(FuzzerFunctionVector* function_vector);
  79
  80 // Since IPC::Message can be serialized, we also track a global function vector
  81 // to handle generation of new messages while fuzzing.
  82 extern FuzzerFunctionVector g_function_vector;
  83
  84 }  // namespace ipc_fuzzer
  85
  86 #endif  // TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_