From 89f52ac1888aa44d0ef81380af1145a1f66d4ef8 Mon Sep 17 00:00:00 2001
From: Kostya Serebryany <kcc@google.com>
Date: Tue, 11 Aug 2015 01:44:42 +0000
Subject: [PATCH] [libFuzzer] add -only_ascii flag

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@244559 91177308-0d34-0410-b5e6-96231b3b80d8
---
 docs/LibFuzzer.rst          |  1 +
 lib/Fuzzer/FuzzerDriver.cpp |  1 +
 lib/Fuzzer/FuzzerFlags.def  |  2 ++
 lib/Fuzzer/FuzzerInternal.h |  7 ++++++-
 lib/Fuzzer/FuzzerLoop.cpp   |  7 ++++++-
 lib/Fuzzer/FuzzerUtil.cpp   | 13 +++++++++++++
 6 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/docs/LibFuzzer.rst b/docs/LibFuzzer.rst
index 0eabb5d8069..4aeace134dd 100644
--- a/docs/LibFuzzer.rst
+++ b/docs/LibFuzzer.rst
@@ -69,6 +69,7 @@ The most important flags are::
   sync_command                       	0	Execute an external command "<sync_command> <test_corpus>" to synchronize the test corpus.
   sync_timeout                       	600	Minimum timeout between syncs.
   use_traces                            0       Experimental: use instruction traces
+  only_ascii                            0       If 1, generate only ASCII (isprint+isspace) inputs.
 
 
 For the full list of flags run the fuzzer binary with ``-help=1``.
diff --git a/lib/Fuzzer/FuzzerDriver.cpp b/lib/Fuzzer/FuzzerDriver.cpp
index 7f3ec7ba2ed..4136e016461 100644
--- a/lib/Fuzzer/FuzzerDriver.cpp
+++ b/lib/Fuzzer/FuzzerDriver.cpp
@@ -240,6 +240,7 @@ int FuzzerDriver(int argc, char **argv, UserSuppliedFuzzer &USF) {
       Flags.prefer_small_during_initial_shuffle;
   Options.Tokens = ReadTokensFile(Flags.tokens);
   Options.Reload = Flags.reload;
+  Options.OnlyASCII = Flags.only_ascii;
   if (Flags.runs >= 0)
     Options.MaxNumberOfRuns = Flags.runs;
   if (!inputs.empty())
diff --git a/lib/Fuzzer/FuzzerFlags.def b/lib/Fuzzer/FuzzerFlags.def
index ac3ac6ef3f8..91aff99f045 100644
--- a/lib/Fuzzer/FuzzerFlags.def
+++ b/lib/Fuzzer/FuzzerFlags.def
@@ -60,3 +60,5 @@ FUZZER_FLAG_STRING(sync_command, "Execute an external command "
 FUZZER_FLAG_INT(sync_timeout, 600, "Minimum timeout between syncs.")
 FUZZER_FLAG_INT(report_slow_units, 10,
     "Report slowest units if they run for more than this number of seconds.")
+FUZZER_FLAG_INT(only_ascii, 0,
+                "If 1, generate only ASCII (isprint+isspace) inputs.")
diff --git a/lib/Fuzzer/FuzzerInternal.h b/lib/Fuzzer/FuzzerInternal.h
index abda08b627c..6f7525e7875 100644
--- a/lib/Fuzzer/FuzzerInternal.h
+++ b/lib/Fuzzer/FuzzerInternal.h
@@ -50,6 +50,10 @@ static const int kSHA1NumBytes = 20;
 // Computes SHA1 hash of 'Len' bytes in 'Data', writes kSHA1NumBytes to 'Out'.
 void ComputeSHA1(const uint8_t *Data, size_t Len, uint8_t *Out);
 
+// Changes U to contain only ASCII (isprint+isspace) characters.
+// Returns true iff U has been changed.
+bool ToASCII(Unit &U);
+
 int NumberOfCpuCores();
 
 class Fuzzer {
@@ -69,6 +73,7 @@ class Fuzzer {
     size_t MaxNumberOfRuns = ULONG_MAX;
     int SyncTimeout = 600;
     int ReportSlowUnits = 10;
+    bool OnlyASCII = false;
     std::string OutputCorpus;
     std::string SyncCommand;
     std::vector<std::string> Tokens;
@@ -103,7 +108,7 @@ class Fuzzer {
   void MutateAndTestOne(Unit *U);
   void ReportNewCoverage(size_t NewCoverage, const Unit &U);
   size_t RunOne(const Unit &U);
-  void RunOneAndUpdateCorpus(const Unit &U);
+  void RunOneAndUpdateCorpus(Unit &U);
   size_t RunOneMaximizeTotalCoverage(const Unit &U);
   size_t RunOneMaximizeFullCoverageSet(const Unit &U);
   size_t RunOneMaximizeCoveragePairs(const Unit &U);
diff --git a/lib/Fuzzer/FuzzerLoop.cpp b/lib/Fuzzer/FuzzerLoop.cpp
index 69b49b025a0..3f7fcb5ea9b 100644
--- a/lib/Fuzzer/FuzzerLoop.cpp
+++ b/lib/Fuzzer/FuzzerLoop.cpp
@@ -170,9 +170,11 @@ size_t Fuzzer::RunOne(const Unit &U) {
   return Res;
 }
 
-void Fuzzer::RunOneAndUpdateCorpus(const Unit &U) {
+void Fuzzer::RunOneAndUpdateCorpus(Unit &U) {
   if (TotalNumberOfRuns >= Options.MaxNumberOfRuns)
     return;
+  if (Options.OnlyASCII)
+    ToASCII(U);
   ReportNewCoverage(RunOne(U), U);
 }
 
@@ -251,6 +253,9 @@ void Fuzzer::WriteToOutputCorpus(const Unit &U) {
   WriteToFile(U, Path);
   if (Options.Verbosity >= 2)
     Printf("Written to %s\n", Path.c_str());
+  if (Options.OnlyASCII)
+    for (auto X : U)
+      assert(isprint(X) || isspace(X));
 }
 
 void Fuzzer::WriteUnitToFileWithPrefix(const Unit &U, const char *Prefix) {
diff --git a/lib/Fuzzer/FuzzerUtil.cpp b/lib/Fuzzer/FuzzerUtil.cpp
index e381c040632..e76adb37481 100644
--- a/lib/Fuzzer/FuzzerUtil.cpp
+++ b/lib/Fuzzer/FuzzerUtil.cpp
@@ -73,4 +73,17 @@ void ExecuteCommand(const std::string &Command) {
   system(Command.c_str());
 }
 
+bool ToASCII(Unit &U) {
+  bool Changed = false;
+  for (auto &X : U) {
+    auto NewX = X;
+    NewX &= 127;
+    if (!isspace(NewX) && !isprint(NewX))
+      NewX = ' ';
+    Changed |= NewX != X;
+    X = NewX;
+  }
+  return Changed;
+}
+
 }  // namespace fuzzer
-- 
2.34.1