1 #include "FuzzerInternal.h"
2 #include "gtest/gtest.h"
5 using namespace fuzzer;
7 // For now, have LLVMFuzzerTestOneInput just to make it link.
8 // Later we may want to make unittests that actually call LLVMFuzzerTestOneInput.
9 extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
13 TEST(Fuzzer, CrossOver) {
14 FuzzerRandomLibc Rand(0);
15 MutationDispatcher MD(Rand);
16 Unit A({0, 1, 2}), B({5, 6, 7});
54 for (size_t Len = 1; Len < 8; Len++) {
55 std::set<Unit> FoundUnits, ExpectedUnitsWitThisLength;
56 for (int Iter = 0; Iter < 3000; Iter++) {
58 size_t NewSize = MD.CrossOver(A.data(), A.size(), B.data(), B.size(),
63 for (const Unit &U : Expected)
65 ExpectedUnitsWitThisLength.insert(U);
66 EXPECT_EQ(ExpectedUnitsWitThisLength, FoundUnits);
71 uint8_t A[] = {'a', 'b', 'c'};
72 fuzzer::Unit U(A, A + sizeof(A));
73 EXPECT_EQ("a9993e364706816aba3e25717850c26c9cd0d89d", fuzzer::Hash(U));
75 EXPECT_EQ("81fe8bfe87576c3ecb22426f8e57847382917acf", fuzzer::Hash(U));
78 typedef size_t (MutationDispatcher::*Mutator)(uint8_t *Data, size_t Size,
81 void TestEraseByte(Mutator M, int NumIter) {
82 uint8_t REM0[8] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
83 uint8_t REM1[8] = {0x00, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
84 uint8_t REM2[8] = {0x00, 0x11, 0x33, 0x44, 0x55, 0x66, 0x77};
85 uint8_t REM3[8] = {0x00, 0x11, 0x22, 0x44, 0x55, 0x66, 0x77};
86 uint8_t REM4[8] = {0x00, 0x11, 0x22, 0x33, 0x55, 0x66, 0x77};
87 uint8_t REM5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x66, 0x77};
88 uint8_t REM6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x77};
89 uint8_t REM7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
90 FuzzerRandomLibc Rand(0);
91 MutationDispatcher MD(Rand);
93 for (int i = 0; i < NumIter; i++) {
94 uint8_t T[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
95 size_t NewSize = (MD.*M)(T, sizeof(T), sizeof(T));
96 if (NewSize == 7 && !memcmp(REM0, T, 7)) FoundMask |= 1 << 0;
97 if (NewSize == 7 && !memcmp(REM1, T, 7)) FoundMask |= 1 << 1;
98 if (NewSize == 7 && !memcmp(REM2, T, 7)) FoundMask |= 1 << 2;
99 if (NewSize == 7 && !memcmp(REM3, T, 7)) FoundMask |= 1 << 3;
100 if (NewSize == 7 && !memcmp(REM4, T, 7)) FoundMask |= 1 << 4;
101 if (NewSize == 7 && !memcmp(REM5, T, 7)) FoundMask |= 1 << 5;
102 if (NewSize == 7 && !memcmp(REM6, T, 7)) FoundMask |= 1 << 6;
103 if (NewSize == 7 && !memcmp(REM7, T, 7)) FoundMask |= 1 << 7;
105 EXPECT_EQ(FoundMask, 255);
108 TEST(FuzzerMutate, EraseByte1) {
109 TestEraseByte(&MutationDispatcher::Mutate_EraseByte, 100);
111 TEST(FuzzerMutate, EraseByte2) {
112 TestEraseByte(&MutationDispatcher::Mutate, 1000);
115 void TestInsertByte(Mutator M, int NumIter) {
116 FuzzerRandomLibc Rand(0);
117 MutationDispatcher MD(Rand);
119 uint8_t INS0[8] = {0xF1, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
120 uint8_t INS1[8] = {0x00, 0xF2, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
121 uint8_t INS2[8] = {0x00, 0x11, 0xF3, 0x22, 0x33, 0x44, 0x55, 0x66};
122 uint8_t INS3[8] = {0x00, 0x11, 0x22, 0xF4, 0x33, 0x44, 0x55, 0x66};
123 uint8_t INS4[8] = {0x00, 0x11, 0x22, 0x33, 0xF5, 0x44, 0x55, 0x66};
124 uint8_t INS5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0xF6, 0x55, 0x66};
125 uint8_t INS6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0xF7, 0x66};
126 uint8_t INS7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF8};
127 for (int i = 0; i < NumIter; i++) {
128 uint8_t T[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
129 size_t NewSize = (MD.*M)(T, 7, 8);
130 if (NewSize == 8 && !memcmp(INS0, T, 8)) FoundMask |= 1 << 0;
131 if (NewSize == 8 && !memcmp(INS1, T, 8)) FoundMask |= 1 << 1;
132 if (NewSize == 8 && !memcmp(INS2, T, 8)) FoundMask |= 1 << 2;
133 if (NewSize == 8 && !memcmp(INS3, T, 8)) FoundMask |= 1 << 3;
134 if (NewSize == 8 && !memcmp(INS4, T, 8)) FoundMask |= 1 << 4;
135 if (NewSize == 8 && !memcmp(INS5, T, 8)) FoundMask |= 1 << 5;
136 if (NewSize == 8 && !memcmp(INS6, T, 8)) FoundMask |= 1 << 6;
137 if (NewSize == 8 && !memcmp(INS7, T, 8)) FoundMask |= 1 << 7;
139 EXPECT_EQ(FoundMask, 255);
142 TEST(FuzzerMutate, InsertByte1) {
143 TestInsertByte(&MutationDispatcher::Mutate_InsertByte, 1 << 15);
145 TEST(FuzzerMutate, InsertByte2) {
146 TestInsertByte(&MutationDispatcher::Mutate, 1 << 17);
149 void TestChangeByte(Mutator M, int NumIter) {
150 FuzzerRandomLibc Rand(0);
151 MutationDispatcher MD(Rand);
153 uint8_t CH0[8] = {0xF0, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
154 uint8_t CH1[8] = {0x00, 0xF1, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
155 uint8_t CH2[8] = {0x00, 0x11, 0xF2, 0x33, 0x44, 0x55, 0x66, 0x77};
156 uint8_t CH3[8] = {0x00, 0x11, 0x22, 0xF3, 0x44, 0x55, 0x66, 0x77};
157 uint8_t CH4[8] = {0x00, 0x11, 0x22, 0x33, 0xF4, 0x55, 0x66, 0x77};
158 uint8_t CH5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0xF5, 0x66, 0x77};
159 uint8_t CH6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0xF5, 0x77};
160 uint8_t CH7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF7};
161 for (int i = 0; i < NumIter; i++) {
162 uint8_t T[9] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
163 size_t NewSize = (MD.*M)(T, 8, 9);
164 if (NewSize == 8 && !memcmp(CH0, T, 8)) FoundMask |= 1 << 0;
165 if (NewSize == 8 && !memcmp(CH1, T, 8)) FoundMask |= 1 << 1;
166 if (NewSize == 8 && !memcmp(CH2, T, 8)) FoundMask |= 1 << 2;
167 if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3;
168 if (NewSize == 8 && !memcmp(CH4, T, 8)) FoundMask |= 1 << 4;
169 if (NewSize == 8 && !memcmp(CH5, T, 8)) FoundMask |= 1 << 5;
170 if (NewSize == 8 && !memcmp(CH6, T, 8)) FoundMask |= 1 << 6;
171 if (NewSize == 8 && !memcmp(CH7, T, 8)) FoundMask |= 1 << 7;
173 EXPECT_EQ(FoundMask, 255);
176 TEST(FuzzerMutate, ChangeByte1) {
177 TestChangeByte(&MutationDispatcher::Mutate_ChangeByte, 1 << 15);
179 TEST(FuzzerMutate, ChangeByte2) {
180 TestChangeByte(&MutationDispatcher::Mutate, 1 << 17);
183 void TestChangeBit(Mutator M, int NumIter) {
184 FuzzerRandomLibc Rand(0);
185 MutationDispatcher MD(Rand);
187 uint8_t CH0[8] = {0x01, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
188 uint8_t CH1[8] = {0x00, 0x13, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
189 uint8_t CH2[8] = {0x00, 0x11, 0x02, 0x33, 0x44, 0x55, 0x66, 0x77};
190 uint8_t CH3[8] = {0x00, 0x11, 0x22, 0x37, 0x44, 0x55, 0x66, 0x77};
191 uint8_t CH4[8] = {0x00, 0x11, 0x22, 0x33, 0x54, 0x55, 0x66, 0x77};
192 uint8_t CH5[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x54, 0x66, 0x77};
193 uint8_t CH6[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x76, 0x77};
194 uint8_t CH7[8] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0xF7};
195 for (int i = 0; i < NumIter; i++) {
196 uint8_t T[9] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
197 size_t NewSize = (MD.*M)(T, 8, 9);
198 if (NewSize == 8 && !memcmp(CH0, T, 8)) FoundMask |= 1 << 0;
199 if (NewSize == 8 && !memcmp(CH1, T, 8)) FoundMask |= 1 << 1;
200 if (NewSize == 8 && !memcmp(CH2, T, 8)) FoundMask |= 1 << 2;
201 if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3;
202 if (NewSize == 8 && !memcmp(CH4, T, 8)) FoundMask |= 1 << 4;
203 if (NewSize == 8 && !memcmp(CH5, T, 8)) FoundMask |= 1 << 5;
204 if (NewSize == 8 && !memcmp(CH6, T, 8)) FoundMask |= 1 << 6;
205 if (NewSize == 8 && !memcmp(CH7, T, 8)) FoundMask |= 1 << 7;
207 EXPECT_EQ(FoundMask, 255);
210 TEST(FuzzerMutate, ChangeBit1) {
211 TestChangeBit(&MutationDispatcher::Mutate_ChangeBit, 1 << 16);
213 TEST(FuzzerMutate, ChangeBit2) {
214 TestChangeBit(&MutationDispatcher::Mutate, 1 << 18);
217 void TestShuffleBytes(Mutator M, int NumIter) {
218 FuzzerRandomLibc Rand(0);
219 MutationDispatcher MD(Rand);
221 uint8_t CH0[7] = {0x00, 0x22, 0x11, 0x33, 0x44, 0x55, 0x66};
222 uint8_t CH1[7] = {0x11, 0x00, 0x33, 0x22, 0x44, 0x55, 0x66};
223 uint8_t CH2[7] = {0x00, 0x33, 0x11, 0x22, 0x44, 0x55, 0x66};
224 uint8_t CH3[7] = {0x00, 0x11, 0x22, 0x44, 0x55, 0x66, 0x33};
225 uint8_t CH4[7] = {0x00, 0x11, 0x22, 0x33, 0x55, 0x44, 0x66};
226 for (int i = 0; i < NumIter; i++) {
227 uint8_t T[7] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66};
228 size_t NewSize = (MD.*M)(T, 7, 7);
229 if (NewSize == 7 && !memcmp(CH0, T, 7)) FoundMask |= 1 << 0;
230 if (NewSize == 7 && !memcmp(CH1, T, 7)) FoundMask |= 1 << 1;
231 if (NewSize == 7 && !memcmp(CH2, T, 7)) FoundMask |= 1 << 2;
232 if (NewSize == 7 && !memcmp(CH3, T, 7)) FoundMask |= 1 << 3;
233 if (NewSize == 7 && !memcmp(CH4, T, 7)) FoundMask |= 1 << 4;
235 EXPECT_EQ(FoundMask, 31);
238 TEST(FuzzerMutate, ShuffleBytes1) {
239 TestShuffleBytes(&MutationDispatcher::Mutate_ShuffleBytes, 1 << 15);
241 TEST(FuzzerMutate, ShuffleBytes2) {
242 TestShuffleBytes(&MutationDispatcher::Mutate, 1 << 16);
245 void TestAddWordFromDictionary(Mutator M, int NumIter) {
246 FuzzerRandomLibc Rand(0);
247 MutationDispatcher MD(Rand);
248 uint8_t Word1[4] = {0xAA, 0xBB, 0xCC, 0xDD};
249 uint8_t Word2[3] = {0xFF, 0xEE, 0xEF};
250 MD.AddWordToDictionary(Word1, sizeof(Word1));
251 MD.AddWordToDictionary(Word2, sizeof(Word2));
253 uint8_t CH0[7] = {0x00, 0x11, 0x22, 0xAA, 0xBB, 0xCC, 0xDD};
254 uint8_t CH1[7] = {0x00, 0x11, 0xAA, 0xBB, 0xCC, 0xDD, 0x22};
255 uint8_t CH2[7] = {0x00, 0xAA, 0xBB, 0xCC, 0xDD, 0x11, 0x22};
256 uint8_t CH3[7] = {0xAA, 0xBB, 0xCC, 0xDD, 0x00, 0x11, 0x22};
257 uint8_t CH4[6] = {0x00, 0x11, 0x22, 0xFF, 0xEE, 0xEF};
258 uint8_t CH5[6] = {0x00, 0x11, 0xFF, 0xEE, 0xEF, 0x22};
259 uint8_t CH6[6] = {0x00, 0xFF, 0xEE, 0xEF, 0x11, 0x22};
260 uint8_t CH7[6] = {0xFF, 0xEE, 0xEF, 0x00, 0x11, 0x22};
261 for (int i = 0; i < NumIter; i++) {
262 uint8_t T[7] = {0x00, 0x11, 0x22};
263 size_t NewSize = (MD.*M)(T, 3, 7);
264 if (NewSize == 7 && !memcmp(CH0, T, 7)) FoundMask |= 1 << 0;
265 if (NewSize == 7 && !memcmp(CH1, T, 7)) FoundMask |= 1 << 1;
266 if (NewSize == 7 && !memcmp(CH2, T, 7)) FoundMask |= 1 << 2;
267 if (NewSize == 7 && !memcmp(CH3, T, 7)) FoundMask |= 1 << 3;
268 if (NewSize == 6 && !memcmp(CH4, T, 6)) FoundMask |= 1 << 4;
269 if (NewSize == 6 && !memcmp(CH5, T, 6)) FoundMask |= 1 << 5;
270 if (NewSize == 6 && !memcmp(CH6, T, 6)) FoundMask |= 1 << 6;
271 if (NewSize == 6 && !memcmp(CH7, T, 6)) FoundMask |= 1 << 7;
273 EXPECT_EQ(FoundMask, 255);
276 TEST(FuzzerMutate, AddWordFromDictionary1) {
277 TestAddWordFromDictionary(&MutationDispatcher::Mutate_AddWordFromDictionary,
281 TEST(FuzzerMutate, AddWordFromDictionary2) {
282 TestAddWordFromDictionary(&MutationDispatcher::Mutate, 1 << 15);
285 void TestChangeASCIIInteger(Mutator M, int NumIter) {
286 FuzzerRandomLibc Rand(0);
287 MutationDispatcher MD(Rand);
289 uint8_t CH0[8] = {'1', '2', '3', '4', '5', '6', '7', '7'};
290 uint8_t CH1[8] = {'1', '2', '3', '4', '5', '6', '7', '9'};
291 uint8_t CH2[8] = {'2', '4', '6', '9', '1', '3', '5', '6'};
292 uint8_t CH3[8] = {'0', '6', '1', '7', '2', '8', '3', '9'};
294 for (int i = 0; i < NumIter; i++) {
295 uint8_t T[8] = {'1', '2', '3', '4', '5', '6', '7', '8'};
296 size_t NewSize = (MD.*M)(T, 8, 8);
297 /**/ if (NewSize == 8 && !memcmp(CH0, T, 8)) FoundMask |= 1 << 0;
298 else if (NewSize == 8 && !memcmp(CH1, T, 8)) FoundMask |= 1 << 1;
299 else if (NewSize == 8 && !memcmp(CH2, T, 8)) FoundMask |= 1 << 2;
300 else if (NewSize == 8 && !memcmp(CH3, T, 8)) FoundMask |= 1 << 3;
301 else if (NewSize == 8) FoundMask |= 1 << 4;
303 EXPECT_EQ(FoundMask, 31);
306 TEST(FuzzerMutate, ChangeASCIIInteger1) {
307 TestChangeASCIIInteger(&MutationDispatcher::Mutate_ChangeASCIIInteger,
311 TEST(FuzzerMutate, ChangeASCIIInteger2) {
312 TestChangeASCIIInteger(&MutationDispatcher::Mutate, 1 << 15);
316 TEST(FuzzerDictionary, ParseOneDictionaryEntry) {
318 EXPECT_FALSE(ParseOneDictionaryEntry("", &U));
319 EXPECT_FALSE(ParseOneDictionaryEntry(" ", &U));
320 EXPECT_FALSE(ParseOneDictionaryEntry("\t ", &U));
321 EXPECT_FALSE(ParseOneDictionaryEntry(" \" ", &U));
322 EXPECT_FALSE(ParseOneDictionaryEntry(" zz\" ", &U));
323 EXPECT_FALSE(ParseOneDictionaryEntry(" \"zz ", &U));
324 EXPECT_FALSE(ParseOneDictionaryEntry(" \"\" ", &U));
325 EXPECT_TRUE(ParseOneDictionaryEntry("\"a\"", &U));
326 EXPECT_EQ(U, Unit({'a'}));
327 EXPECT_TRUE(ParseOneDictionaryEntry("\"abc\"", &U));
328 EXPECT_EQ(U, Unit({'a', 'b', 'c'}));
329 EXPECT_TRUE(ParseOneDictionaryEntry("abc=\"abc\"", &U));
330 EXPECT_EQ(U, Unit({'a', 'b', 'c'}));
331 EXPECT_FALSE(ParseOneDictionaryEntry("\"\\\"", &U));
332 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\\\"", &U));
333 EXPECT_EQ(U, Unit({'\\'}));
334 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\xAB\"", &U));
335 EXPECT_EQ(U, Unit({0xAB}));
336 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\xABz\\xDE\"", &U));
337 EXPECT_EQ(U, Unit({0xAB, 'z', 0xDE}));
338 EXPECT_TRUE(ParseOneDictionaryEntry("\"#\"", &U));
339 EXPECT_EQ(U, Unit({'#'}));
340 EXPECT_TRUE(ParseOneDictionaryEntry("\"\\\"\"", &U));
341 EXPECT_EQ(U, Unit({'"'}));
344 TEST(FuzzerDictionary, ParseDictionaryFile) {
345 std::vector<Unit> Units;
346 EXPECT_FALSE(ParseDictionaryFile("zzz\n", &Units));
347 EXPECT_FALSE(ParseDictionaryFile("", &Units));
348 EXPECT_TRUE(ParseDictionaryFile("\n", &Units));
349 EXPECT_EQ(Units.size(), 0U);
350 EXPECT_TRUE(ParseDictionaryFile("#zzzz a b c d\n", &Units));
351 EXPECT_EQ(Units.size(), 0U);
352 EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units));
353 EXPECT_EQ(Units.size(), 0U);
354 EXPECT_TRUE(ParseDictionaryFile(" #zzzz\n", &Units));
355 EXPECT_EQ(Units.size(), 0U);
356 EXPECT_TRUE(ParseDictionaryFile(" #zzzz\naaa=\"aa\"", &Units));
357 EXPECT_EQ(Units, std::vector<Unit>({Unit({'a', 'a'})}));
359 ParseDictionaryFile(" #zzzz\naaa=\"aa\"\n\nabc=\"abc\"", &Units));
361 std::vector<Unit>({Unit({'a', 'a'}), Unit({'a', 'b', 'c'})}));
364 TEST(FuzzerUtil, Base64) {
365 EXPECT_EQ("", Base64({}));
366 EXPECT_EQ("YQ==", Base64({'a'}));
367 EXPECT_EQ("eA==", Base64({'x'}));
368 EXPECT_EQ("YWI=", Base64({'a', 'b'}));
369 EXPECT_EQ("eHk=", Base64({'x', 'y'}));
370 EXPECT_EQ("YWJj", Base64({'a', 'b', 'c'}));
371 EXPECT_EQ("eHl6", Base64({'x', 'y', 'z'}));
372 EXPECT_EQ("YWJjeA==", Base64({'a', 'b', 'c', 'x'}));
373 EXPECT_EQ("YWJjeHk=", Base64({'a', 'b', 'c', 'x', 'y'}));
374 EXPECT_EQ("YWJjeHl6", Base64({'a', 'b', 'c', 'x', 'y', 'z'}));