SRI-JCZBC
/
Cockpit-cpp


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091
							// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_
#define TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_

#include <stddef.h>
#include <stdint.h>

#include <memory>
#include <string>
#include <unordered_map>
#include <vector>

#include "base/strings/string_util.h"
#include "ipc/ipc_message.h"

namespace ipc_fuzzer {

// Interface implemented by those who generate basic types.  The types all
// correspond to the types which a pickle from base/pickle.h can pickle,
// plus the floating point types.
class Fuzzer {
 public:
  // Functions for various data types.
  virtual void FuzzBool(bool* value) = 0;
  virtual void FuzzInt(int* value) = 0;
  virtual void FuzzLong(long* value) = 0;
  virtual void FuzzSize(size_t* value) = 0;
  virtual void FuzzUChar(unsigned char* value) = 0;
  virtual void FuzzWChar(wchar_t* value) = 0;
  virtual void FuzzUInt16(uint16_t* value) = 0;
  virtual void FuzzUInt32(uint32_t* value) = 0;
  virtual void FuzzInt64(int64_t* value) = 0;
  virtual void FuzzUInt64(uint64_t* value) = 0;
  virtual void FuzzFloat(float* value) = 0;
  virtual void FuzzDouble(double *value) = 0;
  virtual void FuzzString(std::string* value) = 0;
  virtual void FuzzString16(base::string16* value) = 0;
  virtual void FuzzData(char* data, int length) = 0;
  virtual void FuzzBytes(void* data, int data_len) = 0;

  // Used to determine if a completely new value should be generated for
  // certain types instead of attempting to modify the existing one.
  virtual bool ShouldGenerate();
};

class NoOpFuzzer : public Fuzzer {
 public:
  NoOpFuzzer() {}
  virtual ~NoOpFuzzer() {}

  void FuzzBool(bool* value) override {}
  void FuzzInt(int* value) override {}
  void FuzzLong(long* value) override {}
  void FuzzSize(size_t* value) override {}
  void FuzzUChar(unsigned char* value) override {}
  void FuzzWChar(wchar_t* value) override {}
  void FuzzUInt16(uint16_t* value) override {}
  void FuzzUInt32(uint32_t* value) override {}
  void FuzzInt64(int64_t* value) override {}
  void FuzzUInt64(uint64_t* value) override {}
  void FuzzFloat(float* value) override {}
  void FuzzDouble(double* value) override {}
  void FuzzString(std::string* value) override {}
  void FuzzString16(base::string16* value) override {}
  void FuzzData(char* data, int length) override {}
  void FuzzBytes(void* data, int data_len) override {}
};

using FuzzerFunction = std::unique_ptr<IPC::Message> (*)(IPC::Message*,
                                                         Fuzzer*);

// Used for mutating messages. Once populated, the map associates a message ID
// with a FuzzerFunction used for mutation of that message type.
using FuzzerFunctionMap = std::unordered_map<uint32_t, FuzzerFunction>;
void PopulateFuzzerFunctionMap(FuzzerFunctionMap* map);

// Used for generating new messages. Once populated, the vector contains
// FuzzerFunctions for all message types that we know how to generate.
using FuzzerFunctionVector = std::vector<FuzzerFunction>;
void PopulateFuzzerFunctionVector(FuzzerFunctionVector* function_vector);

// Since IPC::Message can be serialized, we also track a global function vector
// to handle generation of new messages while fuzzing.
extern FuzzerFunctionVector g_function_vector;

}  // namespace ipc_fuzzer

#endif  // TOOLS_IPC_FUZZER_MUTATE_FUZZER_H_