1 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
2 // See https://llvm.org/LICENSE.txt for license information.
3 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
5 // Avoid ODR violations (LibFuzzer is built without ASan and this test is built
6 // with ASan) involving C++ standard library types when using libcxx.
7 #define _LIBCPP_HAS_NO_ASAN
9 // Do not attempt to use LLVM ostream etc from gtest.
10 #define GTEST_NO_LLVM_SUPPORT 1
12 #include "FuzzerCorpus.h"
13 #include "FuzzerDictionary.h"
14 #include "FuzzerInternal.h"
15 #include "FuzzerMerge.h"
16 #include "FuzzerMutate.h"
17 #include "FuzzerRandom.h"
18 #include "FuzzerTracePC.h"
19 #include "gtest/gtest.h"
24 using namespace fuzzer
;
26 // For now, have LLVMFuzzerTestOneInput just to make it link.
27 // Later we may want to make unittests that actually call
28 // LLVMFuzzerTestOneInput.
29 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data
, size_t Size
) {
33 TEST(Fuzzer
, Basename
) {
34 EXPECT_EQ(Basename("foo/bar"), "bar");
35 EXPECT_EQ(Basename("bar"), "bar");
36 EXPECT_EQ(Basename("/bar"), "bar");
37 EXPECT_EQ(Basename("foo/x"), "x");
38 EXPECT_EQ(Basename("foo/"), "");
40 EXPECT_EQ(Basename("foo\\bar"), "bar");
41 EXPECT_EQ(Basename("foo\\bar/baz"), "baz");
42 EXPECT_EQ(Basename("\\bar"), "bar");
43 EXPECT_EQ(Basename("foo\\x"), "x");
44 EXPECT_EQ(Basename("foo\\"), "");
48 TEST(Fuzzer
, CrossOver
) {
49 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
52 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
53 Unit
A({0, 1, 2}), B({5, 6, 7});
91 for (size_t Len
= 1; Len
< 8; Len
++) {
92 std::set
<Unit
> FoundUnits
, ExpectedUnitsWitThisLength
;
93 for (int Iter
= 0; Iter
< 3000; Iter
++) {
95 size_t NewSize
= MD
->CrossOver(A
.data(), A
.size(), B
.data(), B
.size(),
100 for (const Unit
&U
: Expected
)
102 ExpectedUnitsWitThisLength
.insert(U
);
103 EXPECT_EQ(ExpectedUnitsWitThisLength
, FoundUnits
);
108 uint8_t A
[] = {'a', 'b', 'c'};
109 fuzzer::Unit
U(A
, A
+ sizeof(A
));
110 EXPECT_EQ("a9993e364706816aba3e25717850c26c9cd0d89d", fuzzer::Hash(U
));
112 EXPECT_EQ("81fe8bfe87576c3ecb22426f8e57847382917acf", fuzzer::Hash(U
));
115 typedef size_t (MutationDispatcher::*Mutator
)(uint8_t *Data
, size_t Size
,
118 void TestEraseBytes(Mutator M
, int NumIter
) {
119 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
120 fuzzer::EF
= t
.get();
121 uint8_t REM0
[8] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
122 uint8_t REM1
[8] = {0x00, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
123 uint8_t REM2
[8] = {0x00, 0x11, 0x33, 0x44, 0x55, 0x66, 0x77};
124 uint8_t REM3
[8] = {0x00, 0x11, 0x22, 0x44, 0x55, 0x66, 0x77};
125 uint8_t REM4
[8] = {0x00, 0x11, 0x22, 0x33, 0x55, 0x66, 0x77};
126 uint8_t REM5
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x66, 0x77};
127 uint8_t REM6
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x77};
128 uint8_t REM7
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
130 uint8_t REM8
[6] = {0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
131 uint8_t REM9
[6] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55};
132 uint8_t REM10
[6] = {0x00, 0x11, 0x22, 0x55, 0x66, 0x77};
134 uint8_t REM11
[5] = {0x33, 0x44, 0x55, 0x66, 0x77};
135 uint8_t REM12
[5] = {0x00, 0x11, 0x22, 0x33, 0x44};
136 uint8_t REM13
[5] = {0x00, 0x44, 0x55, 0x66, 0x77};
140 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
142 for (int i
= 0; i
< NumIter
; i
++) {
143 uint8_t T
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
144 size_t NewSize
= (*MD
.*M
)(T
, sizeof(T
), sizeof(T
));
145 if (NewSize
== 7 && !memcmp(REM0
, T
, 7)) FoundMask
|= 1 << 0;
146 if (NewSize
== 7 && !memcmp(REM1
, T
, 7)) FoundMask
|= 1 << 1;
147 if (NewSize
== 7 && !memcmp(REM2
, T
, 7)) FoundMask
|= 1 << 2;
148 if (NewSize
== 7 && !memcmp(REM3
, T
, 7)) FoundMask
|= 1 << 3;
149 if (NewSize
== 7 && !memcmp(REM4
, T
, 7)) FoundMask
|= 1 << 4;
150 if (NewSize
== 7 && !memcmp(REM5
, T
, 7)) FoundMask
|= 1 << 5;
151 if (NewSize
== 7 && !memcmp(REM6
, T
, 7)) FoundMask
|= 1 << 6;
152 if (NewSize
== 7 && !memcmp(REM7
, T
, 7)) FoundMask
|= 1 << 7;
154 if (NewSize
== 6 && !memcmp(REM8
, T
, 6)) FoundMask
|= 1 << 8;
155 if (NewSize
== 6 && !memcmp(REM9
, T
, 6)) FoundMask
|= 1 << 9;
156 if (NewSize
== 6 && !memcmp(REM10
, T
, 6)) FoundMask
|= 1 << 10;
158 if (NewSize
== 5 && !memcmp(REM11
, T
, 5)) FoundMask
|= 1 << 11;
159 if (NewSize
== 5 && !memcmp(REM12
, T
, 5)) FoundMask
|= 1 << 12;
160 if (NewSize
== 5 && !memcmp(REM13
, T
, 5)) FoundMask
|= 1 << 13;
162 EXPECT_EQ(FoundMask
, (1 << 14) - 1);
165 TEST(FuzzerMutate
, EraseBytes1
) {
166 TestEraseBytes(&MutationDispatcher::Mutate_EraseBytes
, 200);
168 TEST(FuzzerMutate
, EraseBytes2
) {
169 TestEraseBytes(&MutationDispatcher::Mutate
, 2000);
172 void TestInsertByte(Mutator M
, int NumIter
) {
173 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
174 fuzzer::EF
= t
.get();
176 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
178 uint8_t INS0
[8] = {0xF1, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
179 uint8_t INS1
[8] = {0x00, 0xF2, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
180 uint8_t INS2
[8] = {0x00, 0x11, 0xF3, 0x22, 0x33, 0x44, 0x55, 0x66};
181 uint8_t INS3
[8] = {0x00, 0x11, 0x22, 0xF4, 0x33, 0x44, 0x55, 0x66};
182 uint8_t INS4
[8] = {0x00, 0x11, 0x22, 0x33, 0xF5, 0x44, 0x55, 0x66};
183 uint8_t INS5
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0xF6, 0x55, 0x66};
184 uint8_t INS6
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0xF7, 0x66};
185 uint8_t INS7
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF8};
186 for (int i
= 0; i
< NumIter
; i
++) {
187 uint8_t T
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
188 size_t NewSize
= (*MD
.*M
)(T
, 7, 8);
189 if (NewSize
== 8 && !memcmp(INS0
, T
, 8)) FoundMask
|= 1 << 0;
190 if (NewSize
== 8 && !memcmp(INS1
, T
, 8)) FoundMask
|= 1 << 1;
191 if (NewSize
== 8 && !memcmp(INS2
, T
, 8)) FoundMask
|= 1 << 2;
192 if (NewSize
== 8 && !memcmp(INS3
, T
, 8)) FoundMask
|= 1 << 3;
193 if (NewSize
== 8 && !memcmp(INS4
, T
, 8)) FoundMask
|= 1 << 4;
194 if (NewSize
== 8 && !memcmp(INS5
, T
, 8)) FoundMask
|= 1 << 5;
195 if (NewSize
== 8 && !memcmp(INS6
, T
, 8)) FoundMask
|= 1 << 6;
196 if (NewSize
== 8 && !memcmp(INS7
, T
, 8)) FoundMask
|= 1 << 7;
198 EXPECT_EQ(FoundMask
, 255);
201 TEST(FuzzerMutate
, InsertByte1
) {
202 TestInsertByte(&MutationDispatcher::Mutate_InsertByte
, 1 << 15);
204 TEST(FuzzerMutate
, InsertByte2
) {
205 TestInsertByte(&MutationDispatcher::Mutate
, 1 << 17);
208 void TestInsertRepeatedBytes(Mutator M
, int NumIter
) {
209 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
210 fuzzer::EF
= t
.get();
212 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
214 uint8_t INS0
[7] = {0x00, 0x11, 0x22, 0x33, 'a', 'a', 'a'};
215 uint8_t INS1
[7] = {0x00, 0x11, 0x22, 'a', 'a', 'a', 0x33};
216 uint8_t INS2
[7] = {0x00, 0x11, 'a', 'a', 'a', 0x22, 0x33};
217 uint8_t INS3
[7] = {0x00, 'a', 'a', 'a', 0x11, 0x22, 0x33};
218 uint8_t INS4
[7] = {'a', 'a', 'a', 0x00, 0x11, 0x22, 0x33};
220 uint8_t INS5
[8] = {0x00, 0x11, 0x22, 0x33, 'b', 'b', 'b', 'b'};
221 uint8_t INS6
[8] = {0x00, 0x11, 0x22, 'b', 'b', 'b', 'b', 0x33};
222 uint8_t INS7
[8] = {0x00, 0x11, 'b', 'b', 'b', 'b', 0x22, 0x33};
223 uint8_t INS8
[8] = {0x00, 'b', 'b', 'b', 'b', 0x11, 0x22, 0x33};
224 uint8_t INS9
[8] = {'b', 'b', 'b', 'b', 0x00, 0x11, 0x22, 0x33};
226 for (int i
= 0; i
< NumIter
; i
++) {
227 uint8_t T
[8] = {0x00, 0x11, 0x22, 0x33};
228 size_t NewSize
= (*MD
.*M
)(T
, 4, 8);
229 if (NewSize
== 7 && !memcmp(INS0
, T
, 7)) FoundMask
|= 1 << 0;
230 if (NewSize
== 7 && !memcmp(INS1
, T
, 7)) FoundMask
|= 1 << 1;
231 if (NewSize
== 7 && !memcmp(INS2
, T
, 7)) FoundMask
|= 1 << 2;
232 if (NewSize
== 7 && !memcmp(INS3
, T
, 7)) FoundMask
|= 1 << 3;
233 if (NewSize
== 7 && !memcmp(INS4
, T
, 7)) FoundMask
|= 1 << 4;
235 if (NewSize
== 8 && !memcmp(INS5
, T
, 8)) FoundMask
|= 1 << 5;
236 if (NewSize
== 8 && !memcmp(INS6
, T
, 8)) FoundMask
|= 1 << 6;
237 if (NewSize
== 8 && !memcmp(INS7
, T
, 8)) FoundMask
|= 1 << 7;
238 if (NewSize
== 8 && !memcmp(INS8
, T
, 8)) FoundMask
|= 1 << 8;
239 if (NewSize
== 8 && !memcmp(INS9
, T
, 8)) FoundMask
|= 1 << 9;
242 EXPECT_EQ(FoundMask
, (1 << 10) - 1);
245 TEST(FuzzerMutate
, InsertRepeatedBytes1
) {
246 TestInsertRepeatedBytes(&MutationDispatcher::Mutate_InsertRepeatedBytes
,
249 TEST(FuzzerMutate
, InsertRepeatedBytes2
) {
250 TestInsertRepeatedBytes(&MutationDispatcher::Mutate
, 300000);
253 void TestChangeByte(Mutator M
, int NumIter
) {
254 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
255 fuzzer::EF
= t
.get();
257 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
259 uint8_t CH0
[8] = {0xF0, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
260 uint8_t CH1
[8] = {0x00, 0xF1, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
261 uint8_t CH2
[8] = {0x00, 0x11, 0xF2, 0x33, 0x44, 0x55, 0x66, 0x77};
262 uint8_t CH3
[8] = {0x00, 0x11, 0x22, 0xF3, 0x44, 0x55, 0x66, 0x77};
263 uint8_t CH4
[8] = {0x00, 0x11, 0x22, 0x33, 0xF4, 0x55, 0x66, 0x77};
264 uint8_t CH5
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0xF5, 0x66, 0x77};
265 uint8_t CH6
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0xF5, 0x77};
266 uint8_t CH7
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF7};
267 for (int i
= 0; i
< NumIter
; i
++) {
268 uint8_t T
[9] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
269 size_t NewSize
= (*MD
.*M
)(T
, 8, 9);
270 if (NewSize
== 8 && !memcmp(CH0
, T
, 8)) FoundMask
|= 1 << 0;
271 if (NewSize
== 8 && !memcmp(CH1
, T
, 8)) FoundMask
|= 1 << 1;
272 if (NewSize
== 8 && !memcmp(CH2
, T
, 8)) FoundMask
|= 1 << 2;
273 if (NewSize
== 8 && !memcmp(CH3
, T
, 8)) FoundMask
|= 1 << 3;
274 if (NewSize
== 8 && !memcmp(CH4
, T
, 8)) FoundMask
|= 1 << 4;
275 if (NewSize
== 8 && !memcmp(CH5
, T
, 8)) FoundMask
|= 1 << 5;
276 if (NewSize
== 8 && !memcmp(CH6
, T
, 8)) FoundMask
|= 1 << 6;
277 if (NewSize
== 8 && !memcmp(CH7
, T
, 8)) FoundMask
|= 1 << 7;
279 EXPECT_EQ(FoundMask
, 255);
282 TEST(FuzzerMutate
, ChangeByte1
) {
283 TestChangeByte(&MutationDispatcher::Mutate_ChangeByte
, 1 << 15);
285 TEST(FuzzerMutate
, ChangeByte2
) {
286 TestChangeByte(&MutationDispatcher::Mutate
, 1 << 17);
289 void TestChangeBit(Mutator M
, int NumIter
) {
290 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
291 fuzzer::EF
= t
.get();
293 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
295 uint8_t CH0
[8] = {0x01, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
296 uint8_t CH1
[8] = {0x00, 0x13, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
297 uint8_t CH2
[8] = {0x00, 0x11, 0x02, 0x33, 0x44, 0x55, 0x66, 0x77};
298 uint8_t CH3
[8] = {0x00, 0x11, 0x22, 0x37, 0x44, 0x55, 0x66, 0x77};
299 uint8_t CH4
[8] = {0x00, 0x11, 0x22, 0x33, 0x54, 0x55, 0x66, 0x77};
300 uint8_t CH5
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x54, 0x66, 0x77};
301 uint8_t CH6
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x76, 0x77};
302 uint8_t CH7
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF7};
303 for (int i
= 0; i
< NumIter
; i
++) {
304 uint8_t T
[9] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
305 size_t NewSize
= (*MD
.*M
)(T
, 8, 9);
306 if (NewSize
== 8 && !memcmp(CH0
, T
, 8)) FoundMask
|= 1 << 0;
307 if (NewSize
== 8 && !memcmp(CH1
, T
, 8)) FoundMask
|= 1 << 1;
308 if (NewSize
== 8 && !memcmp(CH2
, T
, 8)) FoundMask
|= 1 << 2;
309 if (NewSize
== 8 && !memcmp(CH3
, T
, 8)) FoundMask
|= 1 << 3;
310 if (NewSize
== 8 && !memcmp(CH4
, T
, 8)) FoundMask
|= 1 << 4;
311 if (NewSize
== 8 && !memcmp(CH5
, T
, 8)) FoundMask
|= 1 << 5;
312 if (NewSize
== 8 && !memcmp(CH6
, T
, 8)) FoundMask
|= 1 << 6;
313 if (NewSize
== 8 && !memcmp(CH7
, T
, 8)) FoundMask
|= 1 << 7;
315 EXPECT_EQ(FoundMask
, 255);
318 TEST(FuzzerMutate
, ChangeBit1
) {
319 TestChangeBit(&MutationDispatcher::Mutate_ChangeBit
, 1 << 16);
321 TEST(FuzzerMutate
, ChangeBit2
) {
322 TestChangeBit(&MutationDispatcher::Mutate
, 1 << 18);
325 void TestShuffleBytes(Mutator M
, int NumIter
) {
326 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
327 fuzzer::EF
= t
.get();
329 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
331 uint8_t CH0
[7] = {0x00, 0x22, 0x11, 0x33, 0x44, 0x55, 0x66};
332 uint8_t CH1
[7] = {0x11, 0x00, 0x33, 0x22, 0x44, 0x55, 0x66};
333 uint8_t CH2
[7] = {0x00, 0x33, 0x11, 0x22, 0x44, 0x55, 0x66};
334 uint8_t CH3
[7] = {0x00, 0x11, 0x22, 0x44, 0x55, 0x66, 0x33};
335 uint8_t CH4
[7] = {0x00, 0x11, 0x22, 0x33, 0x55, 0x44, 0x66};
336 for (int i
= 0; i
< NumIter
; i
++) {
337 uint8_t T
[7] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
338 size_t NewSize
= (*MD
.*M
)(T
, 7, 7);
339 if (NewSize
== 7 && !memcmp(CH0
, T
, 7)) FoundMask
|= 1 << 0;
340 if (NewSize
== 7 && !memcmp(CH1
, T
, 7)) FoundMask
|= 1 << 1;
341 if (NewSize
== 7 && !memcmp(CH2
, T
, 7)) FoundMask
|= 1 << 2;
342 if (NewSize
== 7 && !memcmp(CH3
, T
, 7)) FoundMask
|= 1 << 3;
343 if (NewSize
== 7 && !memcmp(CH4
, T
, 7)) FoundMask
|= 1 << 4;
345 EXPECT_EQ(FoundMask
, 31);
348 TEST(FuzzerMutate
, ShuffleBytes1
) {
349 TestShuffleBytes(&MutationDispatcher::Mutate_ShuffleBytes
, 1 << 17);
351 TEST(FuzzerMutate
, ShuffleBytes2
) {
352 TestShuffleBytes(&MutationDispatcher::Mutate
, 1 << 20);
355 void TestCopyPart(Mutator M
, int NumIter
) {
356 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
357 fuzzer::EF
= t
.get();
359 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
361 uint8_t CH0
[7] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x00, 0x11};
362 uint8_t CH1
[7] = {0x55, 0x66, 0x22, 0x33, 0x44, 0x55, 0x66};
363 uint8_t CH2
[7] = {0x00, 0x55, 0x66, 0x33, 0x44, 0x55, 0x66};
364 uint8_t CH3
[7] = {0x00, 0x11, 0x22, 0x00, 0x11, 0x22, 0x66};
365 uint8_t CH4
[7] = {0x00, 0x11, 0x11, 0x22, 0x33, 0x55, 0x66};
367 for (int i
= 0; i
< NumIter
; i
++) {
368 uint8_t T
[7] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
369 size_t NewSize
= (*MD
.*M
)(T
, 7, 7);
370 if (NewSize
== 7 && !memcmp(CH0
, T
, 7)) FoundMask
|= 1 << 0;
371 if (NewSize
== 7 && !memcmp(CH1
, T
, 7)) FoundMask
|= 1 << 1;
372 if (NewSize
== 7 && !memcmp(CH2
, T
, 7)) FoundMask
|= 1 << 2;
373 if (NewSize
== 7 && !memcmp(CH3
, T
, 7)) FoundMask
|= 1 << 3;
374 if (NewSize
== 7 && !memcmp(CH4
, T
, 7)) FoundMask
|= 1 << 4;
377 uint8_t CH5
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x00, 0x11, 0x22};
378 uint8_t CH6
[8] = {0x22, 0x33, 0x44, 0x00, 0x11, 0x22, 0x33, 0x44};
379 uint8_t CH7
[8] = {0x00, 0x11, 0x22, 0x00, 0x11, 0x22, 0x33, 0x44};
380 uint8_t CH8
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x22, 0x33, 0x44};
381 uint8_t CH9
[8] = {0x00, 0x11, 0x22, 0x22, 0x33, 0x44, 0x33, 0x44};
383 for (int i
= 0; i
< NumIter
; i
++) {
384 uint8_t T
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
385 size_t NewSize
= (*MD
.*M
)(T
, 5, 8);
386 if (NewSize
== 8 && !memcmp(CH5
, T
, 8)) FoundMask
|= 1 << 5;
387 if (NewSize
== 8 && !memcmp(CH6
, T
, 8)) FoundMask
|= 1 << 6;
388 if (NewSize
== 8 && !memcmp(CH7
, T
, 8)) FoundMask
|= 1 << 7;
389 if (NewSize
== 8 && !memcmp(CH8
, T
, 8)) FoundMask
|= 1 << 8;
390 if (NewSize
== 8 && !memcmp(CH9
, T
, 8)) FoundMask
|= 1 << 9;
393 EXPECT_EQ(FoundMask
, 1023);
396 TEST(FuzzerMutate
, CopyPart1
) {
397 TestCopyPart(&MutationDispatcher::Mutate_CopyPart
, 1 << 10);
399 TEST(FuzzerMutate
, CopyPart2
) {
400 TestCopyPart(&MutationDispatcher::Mutate
, 1 << 13);
402 TEST(FuzzerMutate
, CopyPartNoInsertAtMaxSize
) {
403 // This (non exhaustively) tests if `Mutate_CopyPart` tries to perform an
404 // insert on an input of size `MaxSize`. Performing an insert in this case
405 // will lead to the mutation failing.
406 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
407 fuzzer::EF
= t
.get();
409 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
410 uint8_t Data
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x00, 0x11, 0x22};
411 size_t MaxSize
= sizeof(Data
);
412 for (int count
= 0; count
< (1 << 18); ++count
) {
413 size_t NewSize
= MD
->Mutate_CopyPart(Data
, MaxSize
, MaxSize
);
414 ASSERT_EQ(NewSize
, MaxSize
);
418 void TestAddWordFromDictionary(Mutator M
, int NumIter
) {
419 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
420 fuzzer::EF
= t
.get();
422 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
423 uint8_t Word1
[4] = {0xAA, 0xBB, 0xCC, 0xDD};
424 uint8_t Word2
[3] = {0xFF, 0xEE, 0xEF};
425 MD
->AddWordToManualDictionary(Word(Word1
, sizeof(Word1
)));
426 MD
->AddWordToManualDictionary(Word(Word2
, sizeof(Word2
)));
428 uint8_t CH0
[7] = {0x00, 0x11, 0x22, 0xAA, 0xBB, 0xCC, 0xDD};
429 uint8_t CH1
[7] = {0x00, 0x11, 0xAA, 0xBB, 0xCC, 0xDD, 0x22};
430 uint8_t CH2
[7] = {0x00, 0xAA, 0xBB, 0xCC, 0xDD, 0x11, 0x22};
431 uint8_t CH3
[7] = {0xAA, 0xBB, 0xCC, 0xDD, 0x00, 0x11, 0x22};
432 uint8_t CH4
[6] = {0x00, 0x11, 0x22, 0xFF, 0xEE, 0xEF};
433 uint8_t CH5
[6] = {0x00, 0x11, 0xFF, 0xEE, 0xEF, 0x22};
434 uint8_t CH6
[6] = {0x00, 0xFF, 0xEE, 0xEF, 0x11, 0x22};
435 uint8_t CH7
[6] = {0xFF, 0xEE, 0xEF, 0x00, 0x11, 0x22};
436 for (int i
= 0; i
< NumIter
; i
++) {
437 uint8_t T
[7] = {0x00, 0x11, 0x22};
438 size_t NewSize
= (*MD
.*M
)(T
, 3, 7);
439 if (NewSize
== 7 && !memcmp(CH0
, T
, 7)) FoundMask
|= 1 << 0;
440 if (NewSize
== 7 && !memcmp(CH1
, T
, 7)) FoundMask
|= 1 << 1;
441 if (NewSize
== 7 && !memcmp(CH2
, T
, 7)) FoundMask
|= 1 << 2;
442 if (NewSize
== 7 && !memcmp(CH3
, T
, 7)) FoundMask
|= 1 << 3;
443 if (NewSize
== 6 && !memcmp(CH4
, T
, 6)) FoundMask
|= 1 << 4;
444 if (NewSize
== 6 && !memcmp(CH5
, T
, 6)) FoundMask
|= 1 << 5;
445 if (NewSize
== 6 && !memcmp(CH6
, T
, 6)) FoundMask
|= 1 << 6;
446 if (NewSize
== 6 && !memcmp(CH7
, T
, 6)) FoundMask
|= 1 << 7;
448 EXPECT_EQ(FoundMask
, 255);
451 TEST(FuzzerMutate
, AddWordFromDictionary1
) {
452 TestAddWordFromDictionary(
453 &MutationDispatcher::Mutate_AddWordFromManualDictionary
, 1 << 15);
456 TEST(FuzzerMutate
, AddWordFromDictionary2
) {
457 TestAddWordFromDictionary(&MutationDispatcher::Mutate
, 1 << 15);
460 void TestChangeASCIIInteger(Mutator M
, int NumIter
) {
461 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
462 fuzzer::EF
= t
.get();
464 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
466 uint8_t CH0
[8] = {'1', '2', '3', '4', '5', '6', '7', '7'};
467 uint8_t CH1
[8] = {'1', '2', '3', '4', '5', '6', '7', '9'};
468 uint8_t CH2
[8] = {'2', '4', '6', '9', '1', '3', '5', '6'};
469 uint8_t CH3
[8] = {'0', '6', '1', '7', '2', '8', '3', '9'};
471 for (int i
= 0; i
< NumIter
; i
++) {
472 uint8_t T
[8] = {'1', '2', '3', '4', '5', '6', '7', '8'};
473 size_t NewSize
= (*MD
.*M
)(T
, 8, 8);
474 /**/ if (NewSize
== 8 && !memcmp(CH0
, T
, 8)) FoundMask
|= 1 << 0;
475 else if (NewSize
== 8 && !memcmp(CH1
, T
, 8)) FoundMask
|= 1 << 1;
476 else if (NewSize
== 8 && !memcmp(CH2
, T
, 8)) FoundMask
|= 1 << 2;
477 else if (NewSize
== 8 && !memcmp(CH3
, T
, 8)) FoundMask
|= 1 << 3;
478 else if (NewSize
== 8) FoundMask
|= 1 << 4;
480 EXPECT_EQ(FoundMask
, 31);
483 TEST(FuzzerMutate
, ChangeASCIIInteger1
) {
484 TestChangeASCIIInteger(&MutationDispatcher::Mutate_ChangeASCIIInteger
,
488 TEST(FuzzerMutate
, ChangeASCIIInteger2
) {
489 TestChangeASCIIInteger(&MutationDispatcher::Mutate
, 1 << 15);
492 void TestChangeBinaryInteger(Mutator M
, int NumIter
) {
493 std::unique_ptr
<ExternalFunctions
> t(new ExternalFunctions());
494 fuzzer::EF
= t
.get();
496 std::unique_ptr
<MutationDispatcher
> MD(new MutationDispatcher(Rand
, {}));
498 uint8_t CH0
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x79};
499 uint8_t CH1
[8] = {0x00, 0x11, 0x22, 0x31, 0x44, 0x55, 0x66, 0x77};
500 uint8_t CH2
[8] = {0xff, 0x10, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
501 uint8_t CH3
[8] = {0x00, 0x11, 0x2a, 0x33, 0x44, 0x55, 0x66, 0x77};
502 uint8_t CH4
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x4f, 0x66, 0x77};
503 uint8_t CH5
[8] = {0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88};
504 uint8_t CH6
[8] = {0x00, 0x11, 0x22, 0x00, 0x00, 0x00, 0x08, 0x77}; // Size
505 uint8_t CH7
[8] = {0x00, 0x08, 0x00, 0x33, 0x44, 0x55, 0x66, 0x77}; // Sw(Size)
508 for (int i
= 0; i
< NumIter
; i
++) {
509 uint8_t T
[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
510 size_t NewSize
= (*MD
.*M
)(T
, 8, 8);
511 /**/ if (NewSize
== 8 && !memcmp(CH0
, T
, 8)) FoundMask
|= 1 << 0;
512 else if (NewSize
== 8 && !memcmp(CH1
, T
, 8)) FoundMask
|= 1 << 1;
513 else if (NewSize
== 8 && !memcmp(CH2
, T
, 8)) FoundMask
|= 1 << 2;
514 else if (NewSize
== 8 && !memcmp(CH3
, T
, 8)) FoundMask
|= 1 << 3;
515 else if (NewSize
== 8 && !memcmp(CH4
, T
, 8)) FoundMask
|= 1 << 4;
516 else if (NewSize
== 8 && !memcmp(CH5
, T
, 8)) FoundMask
|= 1 << 5;
517 else if (NewSize
== 8 && !memcmp(CH6
, T
, 8)) FoundMask
|= 1 << 6;
518 else if (NewSize
== 8 && !memcmp(CH7
, T
, 8)) FoundMask
|= 1 << 7;
520 EXPECT_EQ(FoundMask
, 255);
523 TEST(FuzzerMutate
, ChangeBinaryInteger1
) {
524 TestChangeBinaryInteger(&MutationDispatcher::Mutate_ChangeBinaryInteger
,
528 TEST(FuzzerMutate
, ChangeBinaryInteger2
) {
529 TestChangeBinaryInteger(&MutationDispatcher::Mutate
, 1 << 15);
533 TEST(FuzzerDictionary
, ParseOneDictionaryEntry
) {
535 EXPECT_FALSE(ParseOneDictionaryEntry("", &U
));
536 EXPECT_FALSE(ParseOneDictionaryEntry(" ", &U
));
537 EXPECT_FALSE(ParseOneDictionaryEntry("\t ", &U
));
538 EXPECT_FALSE(ParseOneDictionaryEntry(" \" ", &U
));
539 EXPECT_FALSE(ParseOneDictionaryEntry(" zz\" ", &U
));
540 EXPECT_FALSE(ParseOneDictionaryEntry(" \"zz ", &U
));
541 EXPECT_FALSE(ParseOneDictionaryEntry(" \"\" ", &U
));
542 EXPECT_TRUE(ParseOneDictionaryEntry("\"a\"", &U
));
543 EXPECT_EQ(U
, Unit({'a'}));
544 EXPECT_TRUE(ParseOneDictionaryEntry("\"abc\"", &U
));
545 EXPECT_EQ(U
, Unit({'a', 'b', 'c'}));
546 EXPECT_TRUE(ParseOneDictionaryEntry("abc=\"abc\"", &U
));
547 EXPECT_EQ(U
, Unit({'a', 'b', 'c'}));
548 EXPECT_FALSE(ParseOneDictionaryEntry("\"\\\"", &U
));
549 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\\\"", &U
));
550 EXPECT_EQ(U
, Unit({'\\'}));
551 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\xAB\"", &U
));
552 EXPECT_EQ(U
, Unit({0xAB}));
553 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\xABz\\xDE\"", &U
));
554 EXPECT_EQ(U
, Unit({0xAB, 'z', 0xDE}));
555 EXPECT_TRUE(ParseOneDictionaryEntry("\"#\"", &U
));
556 EXPECT_EQ(U
, Unit({'#'}));
557 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\"\"", &U
));
558 EXPECT_EQ(U
, Unit({'"'}));
561 TEST(FuzzerDictionary
, ParseDictionaryFile
) {
562 std::vector
<Unit
> Units
;
563 EXPECT_FALSE(ParseDictionaryFile("zzz\n", &Units
));
564 EXPECT_FALSE(ParseDictionaryFile("", &Units
));
565 EXPECT_TRUE(ParseDictionaryFile("\n", &Units
));
566 EXPECT_EQ(Units
.size(), 0U);
567 EXPECT_TRUE(ParseDictionaryFile("#zzzz a b c d\n", &Units
));
568 EXPECT_EQ(Units
.size(), 0U);
569 EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units
));
570 EXPECT_EQ(Units
.size(), 0U);
571 EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units
));
572 EXPECT_EQ(Units
.size(), 0U);
573 EXPECT_TRUE(ParseDictionaryFile(" #zzzz\naaa=\"aa\"", &Units
));
574 EXPECT_EQ(Units
, std::vector
<Unit
>({Unit({'a', 'a'})}));
576 ParseDictionaryFile(" #zzzz\naaa=\"aa\"\n\nabc=\"abc\"", &Units
));
578 std::vector
<Unit
>({Unit({'a', 'a'}), Unit({'a', 'b', 'c'})}));
581 TEST(FuzzerUtil
, Base64
) {
582 EXPECT_EQ("", Base64({}));
583 EXPECT_EQ("YQ==", Base64({'a'}));
584 EXPECT_EQ("eA==", Base64({'x'}));
585 EXPECT_EQ("YWI=", Base64({'a', 'b'}));
586 EXPECT_EQ("eHk=", Base64({'x', 'y'}));
587 EXPECT_EQ("YWJj", Base64({'a', 'b', 'c'}));
588 EXPECT_EQ("eHl6", Base64({'x', 'y', 'z'}));
589 EXPECT_EQ("YWJjeA==", Base64({'a', 'b', 'c', 'x'}));
590 EXPECT_EQ("YWJjeHk=", Base64({'a', 'b', 'c', 'x', 'y'}));
591 EXPECT_EQ("YWJjeHl6", Base64({'a', 'b', 'c', 'x', 'y', 'z'}));
595 class PrintfCapture
{
598 OldOutputFile
= GetOutputFile();
599 SetOutputFile(open_memstream(&Buffer
, &Size
));
602 fclose(GetOutputFile());
603 SetOutputFile(OldOutputFile
);
606 std::string
str() { return std::string(Buffer
, Size
); }
614 TEST(FuzzerUtil
, PrintASCII
) {
615 auto f
= [](const char *Str
, const char *PrintAfter
= "") {
616 PrintfCapture Capture
;
617 PrintASCII(reinterpret_cast<const uint8_t*>(Str
), strlen(Str
), PrintAfter
);
618 return Capture
.str();
620 EXPECT_EQ("hello", f("hello"));
621 EXPECT_EQ("c:\\\\", f("c:\\"));
622 EXPECT_EQ("\\\"hi\\\"", f("\"hi\""));
623 EXPECT_EQ("\\011a", f("\ta"));
624 EXPECT_EQ("\\0111", f("\t1"));
625 EXPECT_EQ("hello\\012", f("hello\n"));
626 EXPECT_EQ("hello\n", f("hello", "\n"));
630 TEST(Corpus
, Distribution
) {
633 struct EntropicOptions Entropic
= {false, 0xFF, 100, false};
634 std::unique_ptr
<InputCorpus
> C(new InputCorpus("", Entropic
));
636 size_t TriesPerUnit
= 1<<16;
637 for (size_t i
= 0; i
< N
; i
++)
638 C
->AddToCorpus(Unit
{static_cast<uint8_t>(i
)}, /*NumFeatures*/ 1,
639 /*MayDeleteFile*/ false, /*HasFocusFunction*/ false,
640 /*ForceAddToCorpus*/ false,
641 /*TimeOfUnit*/ std::chrono::microseconds(0),
642 /*FeatureSet*/ {}, DFT
,
645 std::vector
<size_t> Hist(N
);
646 for (size_t i
= 0; i
< N
* TriesPerUnit
; i
++) {
647 Hist
[C
->ChooseUnitIdxToMutate(Rand
)]++;
649 for (size_t i
= 0; i
< N
; i
++) {
650 // A weak sanity check that every unit gets invoked.
651 EXPECT_GT(Hist
[i
], TriesPerUnit
/ N
/ 3);
655 TEST(Corpus
, Replace
) {
657 struct EntropicOptions Entropic
= {false, 0xFF, 100, false};
658 std::unique_ptr
<InputCorpus
> C(
659 new InputCorpus(/*OutputCorpus*/ "", Entropic
));
661 C
->AddToCorpus(Unit
{0x01, 0x00}, /*NumFeatures*/ 1,
662 /*MayDeleteFile*/ false, /*HasFocusFunction*/ false,
663 /*ForceAddToCorpus*/ false,
664 /*TimeOfUnit*/ std::chrono::microseconds(1234),
665 /*FeatureSet*/ {}, DFT
,
667 InputInfo
*SecondII
=
668 C
->AddToCorpus(Unit
{0x02}, /*NumFeatures*/ 1,
669 /*MayDeleteFile*/ false, /*HasFocusFunction*/ false,
670 /*ForceAddToCorpus*/ false,
671 /*TimeOfUnit*/ std::chrono::microseconds(5678),
672 /*FeatureSet*/ {}, DFT
,
674 Unit ReplacedU
= Unit
{0x03};
676 C
->Replace(FirstII
, ReplacedU
,
677 /*TimeOfUnit*/ std::chrono::microseconds(321));
679 // FirstII should be replaced.
680 EXPECT_EQ(FirstII
->U
, Unit
{0x03});
681 EXPECT_EQ(FirstII
->Reduced
, true);
682 EXPECT_EQ(FirstII
->TimeOfUnit
, std::chrono::microseconds(321));
683 std::vector
<uint8_t> ExpectedSha1(kSHA1NumBytes
);
684 ComputeSHA1(ReplacedU
.data(), ReplacedU
.size(), ExpectedSha1
.data());
685 std::vector
<uint8_t> IISha1(FirstII
->Sha1
, FirstII
->Sha1
+ kSHA1NumBytes
);
686 EXPECT_EQ(IISha1
, ExpectedSha1
);
688 // SecondII should not be replaced.
689 EXPECT_EQ(SecondII
->U
, Unit
{0x02});
690 EXPECT_EQ(SecondII
->Reduced
, false);
691 EXPECT_EQ(SecondII
->TimeOfUnit
, std::chrono::microseconds(5678));
694 template <typename T
>
695 void EQ(const std::vector
<T
> &A
, const std::vector
<T
> &B
) {
699 template <typename T
> void EQ(const std::set
<T
> &A
, const std::vector
<T
> &B
) {
700 EXPECT_EQ(A
, std::set
<T
>(B
.begin(), B
.end()));
703 void EQ(const std::vector
<MergeFileInfo
> &A
,
704 const std::vector
<std::string
> &B
) {
705 std::set
<std::string
> a
;
706 for (const auto &File
: A
)
708 std::set
<std::string
> b(B
.begin(), B
.end());
712 #define TRACED_EQ(A, ...) \
715 EQ(A, __VA_ARGS__); \
718 TEST(Merger
, Parse
) {
721 const char *kInvalidInputs
[] = {
733 "2\n1\nA\nSTARTED 0\nBAD 0 0x0",
735 "1\n1\nA\nSTARTED 1",
736 "2\n1\nA\nSTARTED 0\nFT 1 0x0",
738 for (auto S
: kInvalidInputs
) {
740 EXPECT_FALSE(M
.Parse(S
, false));
743 // Parse initial control file
744 EXPECT_TRUE(M
.Parse("1\n0\nAA\n", false));
745 ASSERT_EQ(M
.Files
.size(), 1U);
746 EXPECT_EQ(M
.NumFilesInFirstCorpus
, 0U);
747 EXPECT_EQ(M
.Files
[0].Name
, "AA");
748 EXPECT_TRUE(M
.LastFailure
.empty());
749 EXPECT_EQ(M
.FirstNotProcessedFile
, 0U);
751 // Parse control file that failed on first attempt
752 EXPECT_TRUE(M
.Parse("2\n1\nAA\nBB\nSTARTED 0 42\n", false));
753 ASSERT_EQ(M
.Files
.size(), 2U);
754 EXPECT_EQ(M
.NumFilesInFirstCorpus
, 1U);
755 EXPECT_EQ(M
.Files
[0].Name
, "AA");
756 EXPECT_EQ(M
.Files
[1].Name
, "BB");
757 EXPECT_EQ(M
.LastFailure
, "AA");
758 EXPECT_EQ(M
.FirstNotProcessedFile
, 1U);
760 // Parse control file that failed on later attempt
761 EXPECT_TRUE(M
.Parse("3\n1\nAA\nBB\nC\n"
769 ASSERT_EQ(M
.Files
.size(), 3U);
770 EXPECT_EQ(M
.NumFilesInFirstCorpus
, 1U);
771 EXPECT_EQ(M
.Files
[0].Name
, "AA");
772 EXPECT_EQ(M
.Files
[0].Size
, 1000U);
773 EXPECT_EQ(M
.Files
[1].Name
, "BB");
774 EXPECT_EQ(M
.Files
[1].Size
, 1001U);
775 EXPECT_EQ(M
.Files
[2].Name
, "C");
776 EXPECT_EQ(M
.Files
[2].Size
, 1002U);
777 EXPECT_EQ(M
.LastFailure
, "C");
778 EXPECT_EQ(M
.FirstNotProcessedFile
, 3U);
779 TRACED_EQ(M
.Files
[0].Features
, {1, 2, 3});
780 TRACED_EQ(M
.Files
[1].Features
, {4, 5, 6});
782 // Parse control file without features or PCs
783 EXPECT_TRUE(M
.Parse("2\n0\nAA\nBB\n"
792 ASSERT_EQ(M
.Files
.size(), 2U);
793 EXPECT_EQ(M
.NumFilesInFirstCorpus
, 0U);
794 EXPECT_TRUE(M
.LastFailure
.empty());
795 EXPECT_EQ(M
.FirstNotProcessedFile
, 2U);
796 EXPECT_TRUE(M
.Files
[0].Features
.empty());
797 EXPECT_TRUE(M
.Files
[0].Cov
.empty());
798 EXPECT_TRUE(M
.Files
[1].Features
.empty());
799 EXPECT_TRUE(M
.Files
[1].Cov
.empty());
801 // Parse features and PCs
802 EXPECT_TRUE(M
.Parse("3\n2\nAA\nBB\nC\n"
814 ASSERT_EQ(M
.Files
.size(), 3U);
815 EXPECT_EQ(M
.NumFilesInFirstCorpus
, 2U);
816 EXPECT_TRUE(M
.LastFailure
.empty());
817 EXPECT_EQ(M
.FirstNotProcessedFile
, 3U);
818 TRACED_EQ(M
.Files
[0].Features
, {1, 2, 3});
819 TRACED_EQ(M
.Files
[0].Cov
, {11, 12, 13});
820 TRACED_EQ(M
.Files
[1].Features
, {4, 5, 6});
821 TRACED_EQ(M
.Files
[1].Cov
, {7, 8, 9});
822 TRACED_EQ(M
.Files
[2].Features
, {1, 3, 6});
823 TRACED_EQ(M
.Files
[2].Cov
, {16});
826 TEST(Merger
, Merge
) {
828 std::set
<uint32_t> Features
, NewFeatures
;
829 std::set
<uint32_t> Cov
, NewCov
;
830 std::vector
<std::string
> NewFiles
;
832 // Adds new files and features
833 EXPECT_TRUE(M
.Parse("3\n0\nA\nB\nC\n"
842 EXPECT_EQ(M
.Merge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
), 6U);
843 TRACED_EQ(M
.Files
, {"A", "B", "C"});
844 TRACED_EQ(NewFiles
, {"A", "B"});
845 TRACED_EQ(NewFeatures
, {1, 2, 3, 4, 5, 6});
847 // Doesn't return features or files in the initial corpus.
848 EXPECT_TRUE(M
.Parse("3\n1\nA\nB\nC\n"
857 EXPECT_EQ(M
.Merge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
), 3U);
858 TRACED_EQ(M
.Files
, {"A", "B", "C"});
859 TRACED_EQ(NewFiles
, {"B"});
860 TRACED_EQ(NewFeatures
, {4, 5, 6});
862 // No new features, so no new files
863 EXPECT_TRUE(M
.Parse("3\n2\nA\nB\nC\n"
872 EXPECT_EQ(M
.Merge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
), 0U);
873 TRACED_EQ(M
.Files
, {"A", "B", "C"});
874 TRACED_EQ(NewFiles
, {});
875 TRACED_EQ(NewFeatures
, {});
877 // Can pass initial features and coverage.
878 Features
= {1, 2, 3};
880 EXPECT_TRUE(M
.Parse("2\n0\nA\nB\n"
887 EXPECT_EQ(M
.Merge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
), 3U);
888 TRACED_EQ(M
.Files
, {"A", "B"});
889 TRACED_EQ(NewFiles
, {"B"});
890 TRACED_EQ(NewFeatures
, {4, 5, 6});
894 // Parse smaller files first
895 EXPECT_TRUE(M
.Parse("3\n0\nA\nB\nC\n"
904 EXPECT_EQ(M
.Merge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
), 6U);
905 TRACED_EQ(M
.Files
, {"B", "C", "A"});
906 TRACED_EQ(NewFiles
, {"B", "C", "A"});
907 TRACED_EQ(NewFeatures
, {1, 2, 3, 4, 5, 6});
909 EXPECT_TRUE(M
.Parse("4\n0\nA\nB\nC\nD\n"
920 EXPECT_EQ(M
.Merge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
), 7U);
921 TRACED_EQ(M
.Files
, {"A", "B", "C", "D"});
922 TRACED_EQ(NewFiles
, {"D", "B", "C", "A"});
923 TRACED_EQ(NewFeatures
, {1, 2, 3, 4, 5, 6, 100});
925 // For same sized file, parse more features first
926 EXPECT_TRUE(M
.Parse("4\n1\nA\nB\nC\nD\n"
937 EXPECT_EQ(M
.Merge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
), 3U);
938 TRACED_EQ(M
.Files
, {"A", "B", "C", "D"});
939 TRACED_EQ(NewFiles
, {"D", "B"});
940 TRACED_EQ(NewFeatures
, {1, 2, 3});
943 TEST(Merger
, SetCoverMerge
) {
945 std::set
<uint32_t> Features
, NewFeatures
;
946 std::set
<uint32_t> Cov
, NewCov
;
947 std::vector
<std::string
> NewFiles
;
949 // Adds new files and features
950 EXPECT_TRUE(M
.Parse("3\n0\nA\nB\nC\n"
959 EXPECT_EQ(M
.SetCoverMerge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
),
961 TRACED_EQ(M
.Files
, {"A", "B", "C"});
962 TRACED_EQ(NewFiles
, {"A", "B"});
963 TRACED_EQ(NewFeatures
, {1, 2, 3, 4, 5, 6});
965 // Doesn't return features or files in the initial corpus.
966 EXPECT_TRUE(M
.Parse("3\n1\nA\nB\nC\n"
975 EXPECT_EQ(M
.SetCoverMerge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
),
977 TRACED_EQ(M
.Files
, {"A", "B", "C"});
978 TRACED_EQ(NewFiles
, {"B"});
979 TRACED_EQ(NewFeatures
, {4, 5, 6});
981 // No new features, so no new files
982 EXPECT_TRUE(M
.Parse("3\n2\nA\nB\nC\n"
991 EXPECT_EQ(M
.SetCoverMerge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
),
993 TRACED_EQ(M
.Files
, {"A", "B", "C"});
994 TRACED_EQ(NewFiles
, {});
995 TRACED_EQ(NewFeatures
, {});
997 // Can pass initial features and coverage.
998 Features
= {1, 2, 3};
1000 EXPECT_TRUE(M
.Parse("2\n0\nA\nB\n"
1007 EXPECT_EQ(M
.SetCoverMerge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
),
1009 TRACED_EQ(M
.Files
, {"A", "B"});
1010 TRACED_EQ(NewFiles
, {"B"});
1011 TRACED_EQ(NewFeatures
, {4, 5, 6});
1015 // Prefer files with a lot of features first (C has 4 features)
1016 // Then prefer B over A due to the smaller size. After choosing C and B,
1017 // A and D have no new features to contribute.
1018 EXPECT_TRUE(M
.Parse("4\n0\nA\nB\nC\nD\n"
1029 EXPECT_EQ(M
.SetCoverMerge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
),
1031 TRACED_EQ(M
.Files
, {"A", "B", "C", "D"});
1032 TRACED_EQ(NewFiles
, {"C", "B"});
1033 TRACED_EQ(NewFeatures
, {1, 2, 3, 4, 5, 6});
1035 // Only 1 file covers all features.
1036 EXPECT_TRUE(M
.Parse("4\n1\nA\nB\nC\nD\n"
1047 EXPECT_EQ(M
.SetCoverMerge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
),
1049 TRACED_EQ(M
.Files
, {"A", "B", "C", "D"});
1050 TRACED_EQ(NewFiles
, {"B"});
1051 TRACED_EQ(NewFeatures
, {1, 2, 3});
1053 // A Feature has a value greater than (1 << 21) and hence
1054 // there are collisions in the underlying `covered features`
1056 EXPECT_TRUE(M
.Parse("3\n0\nA\nB\nC\n"
1062 "FT 2 3 2097153 \n" // Last feature is (2^21 + 1).
1065 EXPECT_EQ(M
.SetCoverMerge(Features
, &NewFeatures
, Cov
, &NewCov
, &NewFiles
),
1067 TRACED_EQ(M
.Files
, {"A", "B", "C"});
1068 // File 'C' is not added because it's last feature is considered
1069 // covered due to collision with feature 1.
1070 TRACED_EQ(NewFiles
, {"B", "A"});
1071 TRACED_EQ(NewFeatures
, {1, 2, 3, 4, 5});
1076 TEST(DFT
, BlockCoverage
) {
1078 // Assuming C0 has 5 instrumented blocks,
1079 // C1: 7 blocks, C2: 4, C3: 9, C4 never covered, C5: 15,
1082 EXPECT_TRUE(Cov
.AppendCoverage("C0 5\n"));
1083 EXPECT_EQ(Cov
.GetCounter(0, 0), 1U);
1084 EXPECT_EQ(Cov
.GetCounter(0, 1), 0U); // not seen this BB yet.
1085 EXPECT_EQ(Cov
.GetCounter(0, 5), 0U); // BB ID out of bounds.
1086 EXPECT_EQ(Cov
.GetCounter(1, 0), 0U); // not seen this function yet.
1088 EXPECT_EQ(Cov
.GetNumberOfBlocks(0), 5U);
1089 EXPECT_EQ(Cov
.GetNumberOfCoveredBlocks(0), 1U);
1090 EXPECT_EQ(Cov
.GetNumberOfBlocks(1), 0U);
1093 EXPECT_FALSE(Cov
.AppendCoverage("C0\n")); // No total number.
1094 EXPECT_FALSE(Cov
.AppendCoverage("C0 7\n")); // No total number.
1095 EXPECT_FALSE(Cov
.AppendCoverage("CZ\n")); // Wrong function number.
1096 EXPECT_FALSE(Cov
.AppendCoverage("C1 7 7")); // BB ID is too big.
1097 EXPECT_FALSE(Cov
.AppendCoverage("C1 100 7")); // BB ID is too big.
1099 // Add C0 more times.
1100 EXPECT_TRUE(Cov
.AppendCoverage("C0 5\n"));
1101 EXPECT_EQ(Cov
.GetCounter(0, 0), 2U);
1102 EXPECT_TRUE(Cov
.AppendCoverage("C0 1 2 5\n"));
1103 EXPECT_EQ(Cov
.GetCounter(0, 0), 3U);
1104 EXPECT_EQ(Cov
.GetCounter(0, 1), 1U);
1105 EXPECT_EQ(Cov
.GetCounter(0, 2), 1U);
1106 EXPECT_EQ(Cov
.GetCounter(0, 3), 0U);
1107 EXPECT_EQ(Cov
.GetCounter(0, 4), 0U);
1108 EXPECT_EQ(Cov
.GetNumberOfCoveredBlocks(0), 3U);
1109 EXPECT_TRUE(Cov
.AppendCoverage("C0 1 3 4 5\n"));
1110 EXPECT_EQ(Cov
.GetCounter(0, 0), 4U);
1111 EXPECT_EQ(Cov
.GetCounter(0, 1), 2U);
1112 EXPECT_EQ(Cov
.GetCounter(0, 2), 1U);
1113 EXPECT_EQ(Cov
.GetCounter(0, 3), 1U);
1114 EXPECT_EQ(Cov
.GetCounter(0, 4), 1U);
1115 EXPECT_EQ(Cov
.GetNumberOfCoveredBlocks(0), 5U);
1117 EXPECT_TRUE(Cov
.AppendCoverage("C1 7\nC2 4\nC3 9\nC5 15\nC0 5\n"));
1118 EXPECT_EQ(Cov
.GetCounter(0, 0), 5U);
1119 EXPECT_EQ(Cov
.GetCounter(1, 0), 1U);
1120 EXPECT_EQ(Cov
.GetCounter(2, 0), 1U);
1121 EXPECT_EQ(Cov
.GetCounter(3, 0), 1U);
1122 EXPECT_EQ(Cov
.GetCounter(4, 0), 0U);
1123 EXPECT_EQ(Cov
.GetCounter(5, 0), 1U);
1125 EXPECT_TRUE(Cov
.AppendCoverage("C3 4 5 9\nC5 11 12 15"));
1126 EXPECT_EQ(Cov
.GetCounter(0, 0), 5U);
1127 EXPECT_EQ(Cov
.GetCounter(1, 0), 1U);
1128 EXPECT_EQ(Cov
.GetCounter(2, 0), 1U);
1129 EXPECT_EQ(Cov
.GetCounter(3, 0), 2U);
1130 EXPECT_EQ(Cov
.GetCounter(3, 4), 1U);
1131 EXPECT_EQ(Cov
.GetCounter(3, 5), 1U);
1132 EXPECT_EQ(Cov
.GetCounter(3, 6), 0U);
1133 EXPECT_EQ(Cov
.GetCounter(4, 0), 0U);
1134 EXPECT_EQ(Cov
.GetCounter(5, 0), 2U);
1135 EXPECT_EQ(Cov
.GetCounter(5, 10), 0U);
1136 EXPECT_EQ(Cov
.GetCounter(5, 11), 1U);
1137 EXPECT_EQ(Cov
.GetCounter(5, 12), 1U);
1140 TEST(DFT
, FunctionWeights
) {
1142 // unused function gets zero weight.
1143 EXPECT_TRUE(Cov
.AppendCoverage("C0 5\n"));
1144 auto Weights
= Cov
.FunctionWeights(2);
1145 EXPECT_GT(Weights
[0], 0.);
1146 EXPECT_EQ(Weights
[1], 0.);
1148 // Less frequently used function gets less weight.
1150 EXPECT_TRUE(Cov
.AppendCoverage("C0 5\nC1 5\nC1 5\n"));
1151 Weights
= Cov
.FunctionWeights(2);
1152 EXPECT_GT(Weights
[0], Weights
[1]);
1154 // A function with more uncovered blocks gets more weight.
1156 EXPECT_TRUE(Cov
.AppendCoverage("C0 1 2 3 5\nC1 2 4\n"));
1157 Weights
= Cov
.FunctionWeights(2);
1158 EXPECT_GT(Weights
[1], Weights
[0]);
1160 // A function with DFT gets more weight than the function w/o DFT.
1162 EXPECT_TRUE(Cov
.AppendCoverage("F1 111\nC0 3\nC1 1 2 3\n"));
1163 Weights
= Cov
.FunctionWeights(2);
1164 EXPECT_GT(Weights
[1], Weights
[0]);
1168 TEST(Fuzzer
, ForEachNonZeroByte
) {
1169 const size_t N
= 64;
1170 alignas(64) uint8_t Ar
[N
+ 8] = {
1171 0, 0, 0, 0, 0, 0, 0, 0,
1172 1, 2, 0, 0, 0, 0, 0, 0,
1173 0, 0, 3, 0, 4, 0, 0, 0,
1174 0, 0, 0, 0, 0, 0, 0, 0,
1175 0, 0, 0, 5, 0, 6, 0, 0,
1176 0, 0, 0, 0, 0, 0, 7, 0,
1177 0, 0, 0, 0, 0, 0, 0, 0,
1178 0, 0, 0, 0, 0, 0, 0, 8,
1179 9, 9, 9, 9, 9, 9, 9, 9,
1181 typedef std::vector
<std::pair
<size_t, uint8_t>> Vec
;
1183 auto CB
= [&](size_t FirstFeature
, size_t Idx
, uint8_t V
) {
1184 Res
.push_back({FirstFeature
+ Idx
, V
});
1186 ForEachNonZeroByte(Ar
, Ar
+ N
, 100, CB
);
1187 Expected
= {{108, 1}, {109, 2}, {118, 3}, {120, 4},
1188 {135, 5}, {137, 6}, {146, 7}, {163, 8}};
1189 EXPECT_EQ(Res
, Expected
);
1192 ForEachNonZeroByte(Ar
+ 9, Ar
+ N
, 109, CB
);
1193 Expected
= { {109, 2}, {118, 3}, {120, 4},
1194 {135, 5}, {137, 6}, {146, 7}, {163, 8}};
1195 EXPECT_EQ(Res
, Expected
);
1198 ForEachNonZeroByte(Ar
+ 9, Ar
+ N
- 9, 109, CB
);
1199 Expected
= { {109, 2}, {118, 3}, {120, 4},
1200 {135, 5}, {137, 6}, {146, 7}};
1201 EXPECT_EQ(Res
, Expected
);
1204 // FuzzerCommand unit tests. The arguments in the two helper methods below must
1206 static void makeCommandArgs(std::vector
<std::string
> *ArgsToAdd
) {
1209 ArgsToAdd
->push_back("foo");
1210 ArgsToAdd
->push_back("-bar=baz");
1211 ArgsToAdd
->push_back("qux");
1212 ArgsToAdd
->push_back(Command::ignoreRemainingArgs());
1213 ArgsToAdd
->push_back("quux");
1214 ArgsToAdd
->push_back("-grault=garply");
1217 static std::string
makeCmdLine(const char *separator
, const char *suffix
) {
1218 std::string
CmdLine("foo -bar=baz qux ");
1219 if (strlen(separator
) != 0) {
1220 CmdLine
+= separator
;
1223 CmdLine
+= Command::ignoreRemainingArgs();
1224 CmdLine
+= " quux -grault=garply";
1225 if (strlen(suffix
) != 0) {
1232 TEST(FuzzerCommand
, Create
) {
1233 std::string CmdLine
;
1235 // Default constructor
1238 CmdLine
= DefaultCmd
.toString();
1239 EXPECT_EQ(CmdLine
, "");
1241 // Explicit constructor
1242 std::vector
<std::string
> ArgsToAdd
;
1243 makeCommandArgs(&ArgsToAdd
);
1244 Command
InitializedCmd(ArgsToAdd
);
1246 CmdLine
= InitializedCmd
.toString();
1247 EXPECT_EQ(CmdLine
, makeCmdLine("", ""));
1249 // Compare each argument
1250 auto InitializedArgs
= InitializedCmd
.getArguments();
1251 auto i
= ArgsToAdd
.begin();
1252 auto j
= InitializedArgs
.begin();
1253 while (i
!= ArgsToAdd
.end() && j
!= InitializedArgs
.end()) {
1254 EXPECT_EQ(*i
++, *j
++);
1256 EXPECT_EQ(i
, ArgsToAdd
.end());
1257 EXPECT_EQ(j
, InitializedArgs
.end());
1260 Command
CopiedCmd(InitializedCmd
);
1262 CmdLine
= CopiedCmd
.toString();
1263 EXPECT_EQ(CmdLine
, makeCmdLine("", ""));
1265 // Assignment operator
1266 Command AssignedCmd
;
1267 AssignedCmd
= CopiedCmd
;
1269 CmdLine
= AssignedCmd
.toString();
1270 EXPECT_EQ(CmdLine
, makeCmdLine("", ""));
1273 TEST(FuzzerCommand
, ModifyArguments
) {
1274 std::vector
<std::string
> ArgsToAdd
;
1275 makeCommandArgs(&ArgsToAdd
);
1277 std::string CmdLine
;
1279 Cmd
.addArguments(ArgsToAdd
);
1280 CmdLine
= Cmd
.toString();
1281 EXPECT_EQ(CmdLine
, makeCmdLine("", ""));
1283 Cmd
.addArgument("waldo");
1284 EXPECT_TRUE(Cmd
.hasArgument("waldo"));
1286 CmdLine
= Cmd
.toString();
1287 EXPECT_EQ(CmdLine
, makeCmdLine("waldo", ""));
1289 Cmd
.removeArgument("waldo");
1290 EXPECT_FALSE(Cmd
.hasArgument("waldo"));
1292 CmdLine
= Cmd
.toString();
1293 EXPECT_EQ(CmdLine
, makeCmdLine("", ""));
1296 TEST(FuzzerCommand
, ModifyFlags
) {
1297 std::vector
<std::string
> ArgsToAdd
;
1298 makeCommandArgs(&ArgsToAdd
);
1299 Command
Cmd(ArgsToAdd
);
1300 std::string Value
, CmdLine
;
1301 ASSERT_FALSE(Cmd
.hasFlag("fred"));
1303 Value
= Cmd
.getFlagValue("fred");
1304 EXPECT_EQ(Value
, "");
1306 CmdLine
= Cmd
.toString();
1307 EXPECT_EQ(CmdLine
, makeCmdLine("", ""));
1309 Cmd
.addFlag("fred", "plugh");
1310 EXPECT_TRUE(Cmd
.hasFlag("fred"));
1312 Value
= Cmd
.getFlagValue("fred");
1313 EXPECT_EQ(Value
, "plugh");
1315 CmdLine
= Cmd
.toString();
1316 EXPECT_EQ(CmdLine
, makeCmdLine("-fred=plugh", ""));
1318 Cmd
.removeFlag("fred");
1319 EXPECT_FALSE(Cmd
.hasFlag("fred"));
1321 Value
= Cmd
.getFlagValue("fred");
1322 EXPECT_EQ(Value
, "");
1324 CmdLine
= Cmd
.toString();
1325 EXPECT_EQ(CmdLine
, makeCmdLine("", ""));
1328 TEST(FuzzerCommand
, SetOutput
) {
1329 std::vector
<std::string
> ArgsToAdd
;
1330 makeCommandArgs(&ArgsToAdd
);
1331 Command
Cmd(ArgsToAdd
);
1332 std::string CmdLine
;
1333 ASSERT_FALSE(Cmd
.hasOutputFile());
1334 ASSERT_FALSE(Cmd
.isOutAndErrCombined());
1336 Cmd
.combineOutAndErr(true);
1337 EXPECT_TRUE(Cmd
.isOutAndErrCombined());
1339 CmdLine
= Cmd
.toString();
1340 EXPECT_EQ(CmdLine
, makeCmdLine("", "2>&1"));
1342 Cmd
.combineOutAndErr(false);
1343 EXPECT_FALSE(Cmd
.isOutAndErrCombined());
1345 Cmd
.setOutputFile("xyzzy");
1346 EXPECT_TRUE(Cmd
.hasOutputFile());
1348 CmdLine
= Cmd
.toString();
1349 EXPECT_EQ(CmdLine
, makeCmdLine("", ">xyzzy"));
1351 Cmd
.setOutputFile("thud");
1352 EXPECT_TRUE(Cmd
.hasOutputFile());
1354 CmdLine
= Cmd
.toString();
1355 EXPECT_EQ(CmdLine
, makeCmdLine("", ">thud"));
1357 Cmd
.combineOutAndErr();
1358 EXPECT_TRUE(Cmd
.isOutAndErrCombined());
1360 CmdLine
= Cmd
.toString();
1361 EXPECT_EQ(CmdLine
, makeCmdLine("", ">thud 2>&1"));
1364 TEST(Entropic
, UpdateFrequency
) {
1365 const size_t One
= 1, Two
= 2;
1366 const size_t FeatIdx1
= 0, FeatIdx2
= 42, FeatIdx3
= 12, FeatIdx4
= 26;
1368 // Create input corpus with default entropic configuration
1369 struct EntropicOptions Entropic
= {true, 0xFF, 100, false};
1370 std::unique_ptr
<InputCorpus
> C(new InputCorpus("", Entropic
));
1371 std::unique_ptr
<InputInfo
> II(new InputInfo());
1373 C
->AddRareFeature(FeatIdx1
);
1374 C
->UpdateFeatureFrequency(II
.get(), FeatIdx1
);
1375 EXPECT_EQ(II
->FeatureFreqs
.size(), One
);
1376 C
->AddRareFeature(FeatIdx2
);
1377 C
->UpdateFeatureFrequency(II
.get(), FeatIdx1
);
1378 C
->UpdateFeatureFrequency(II
.get(), FeatIdx2
);
1379 EXPECT_EQ(II
->FeatureFreqs
.size(), Two
);
1380 EXPECT_EQ(II
->FeatureFreqs
[0].second
, 2);
1381 EXPECT_EQ(II
->FeatureFreqs
[1].second
, 1);
1383 C
->AddRareFeature(FeatIdx3
);
1384 C
->AddRareFeature(FeatIdx4
);
1385 C
->UpdateFeatureFrequency(II
.get(), FeatIdx3
);
1386 C
->UpdateFeatureFrequency(II
.get(), FeatIdx3
);
1387 C
->UpdateFeatureFrequency(II
.get(), FeatIdx3
);
1388 C
->UpdateFeatureFrequency(II
.get(), FeatIdx4
);
1390 for (Index
= 1; Index
< II
->FeatureFreqs
.size(); Index
++)
1391 EXPECT_LT(II
->FeatureFreqs
[Index
- 1].first
, II
->FeatureFreqs
[Index
].first
);
1393 II
->DeleteFeatureFreq(FeatIdx3
);
1394 for (Index
= 1; Index
< II
->FeatureFreqs
.size(); Index
++)
1395 EXPECT_LT(II
->FeatureFreqs
[Index
- 1].first
, II
->FeatureFreqs
[Index
].first
);
1398 double SubAndSquare(double X
, double Y
) {
1404 TEST(Entropic
, ComputeEnergy
) {
1405 const double Precision
= 0.01;
1406 struct EntropicOptions Entropic
= {true, 0xFF, 100, false};
1407 std::unique_ptr
<InputCorpus
> C(new InputCorpus("", Entropic
));
1408 std::unique_ptr
<InputInfo
> II(new InputInfo());
1409 std::vector
<std::pair
<uint32_t, uint16_t>> FeatureFreqs
= {
1410 {1, 3}, {2, 3}, {3, 3}};
1411 II
->FeatureFreqs
= FeatureFreqs
;
1412 II
->NumExecutedMutations
= 0;
1413 II
->UpdateEnergy(4, false, std::chrono::microseconds(0));
1414 EXPECT_LT(SubAndSquare(II
->Energy
, 1.450805), Precision
);
1416 II
->NumExecutedMutations
= 9;
1417 II
->UpdateEnergy(5, false, std::chrono::microseconds(0));
1418 EXPECT_LT(SubAndSquare(II
->Energy
, 1.525496), Precision
);
1420 II
->FeatureFreqs
[0].second
++;
1421 II
->FeatureFreqs
.push_back(std::pair
<uint32_t, uint16_t>(42, 6));
1422 II
->NumExecutedMutations
= 20;
1423 II
->UpdateEnergy(10, false, std::chrono::microseconds(0));
1424 EXPECT_LT(SubAndSquare(II
->Energy
, 1.792831), Precision
);
1427 int main(int argc
, char **argv
) {
1428 testing::InitGoogleTest(&argc
, argv
);
1429 return RUN_ALL_TESTS();