Google Git
Sign in
chromium / chromium / src / 6036187a1d76f93d870769db672a39bfece18b4d / . / tools / ipc_fuzzer / fuzzer / fuzzer.h
blob: 531bbe77499791af36a618037cedda35045e71d4 [file] [log] [blame]
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_
#define TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_
#include <stddef.h>
#include <stdint.h>
#include <memory>
#include <string>
#include <unordered_map>
#include <vector>
#include "base/strings/string_util.h"
#include "ipc/ipc_message.h"
namespace ipc_fuzzer {
// Interface implemented by those who generate basic types. The types all
// correspond to the types which a pickle from base/pickle.h can pickle,
// plus the floating point types.
class Fuzzer {
public:
// Functions for various data types.
virtual void FuzzBool(bool* value) = 0;
virtual void FuzzInt(int* value) = 0;
virtual void FuzzLong(long* value) = 0;
virtual void FuzzSize(size_t* value) = 0;
virtual void FuzzUChar(unsigned char* value) = 0;
virtual void FuzzWChar(wchar_t* value) = 0;
virtual void FuzzUInt16(uint16_t* value) = 0;
virtual void FuzzUInt32(uint32_t* value) = 0;
virtual void FuzzInt64(int64_t* value) = 0;
virtual void FuzzUInt64(uint64_t* value) = 0;
virtual void FuzzFloat(float* value) = 0;
virtual void FuzzDouble(double *value) = 0;
virtual void FuzzString(std::string* value) = 0;
virtual void FuzzString16(base::string16* value) = 0;
virtual void FuzzData(char* data, int length) = 0;
virtual void FuzzBytes(void* data, int data_len) = 0;
// Used to determine if a completely new value should be generated for
// certain types instead of attempting to modify the existing one.
virtual bool ShouldGenerate();
};
class NoOpFuzzer : public Fuzzer {
public:
NoOpFuzzer() {}
virtual ~NoOpFuzzer() {}
void FuzzBool(bool* value) override {}
void FuzzInt(int* value) override {}
void FuzzLong(long* value) override {}
void FuzzSize(size_t* value) override {}
void FuzzUChar(unsigned char* value) override {}
void FuzzWChar(wchar_t* value) override {}
void FuzzUInt16(uint16_t* value) override {}
void FuzzUInt32(uint32_t* value) override {}
void FuzzInt64(int64_t* value) override {}
void FuzzUInt64(uint64_t* value) override {}
void FuzzFloat(float* value) override {}
void FuzzDouble(double* value) override {}
void FuzzString(std::string* value) override {}
void FuzzString16(base::string16* value) override {}
void FuzzData(char* data, int length) override {}
void FuzzBytes(void* data, int data_len) override {}
};
using FuzzerFunction = std::unique_ptr<IPC::Message> (*)(IPC::Message*,
Fuzzer*);
// Used for mutating messages. Once populated, the map associates a message ID
// with a FuzzerFunction used for mutation of that message type.
using FuzzerFunctionMap = std::unordered_map<uint32_t, FuzzerFunction>;
void PopulateFuzzerFunctionMap(FuzzerFunctionMap* map);
// Used for generating new messages. Once populated, the vector contains
// FuzzerFunctions for all message types that we know how to generate.
using FuzzerFunctionVector = std::vector<FuzzerFunction>;
void PopulateFuzzerFunctionVector(FuzzerFunctionVector* function_vector);
// Since IPC::Message can be serialized, we also track a global function vector
// to handle generation of new messages while fuzzing.
extern FuzzerFunctionVector g_function_vector;
} // namespace ipc_fuzzer
#endif // TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_