1 /*	$OpenBSD: fuzz.c,v 1.8 2015/03/03 20:42:49 djm Exp $	*/
18 /* Utility functions/framework for fuzz tests */
59 struct fuzz {
70 	/* Current working copy of seed with fuzz mutations applied */
73 	/* Used by fuzz methods */
103 fuzz_fmt(struct fuzz *fuzz, char *s, size_t n)
105 	if (fuzz == NULL)
108 	switch (fuzz->strategy) {
111 		    fuzz_ntop(fuzz->strategy),
112 		    fuzz->o1, fuzz->slen * 8, fuzz->o1);
116 		    fuzz_ntop(fuzz->strategy),
117 		    (((fuzz_ullong)fuzz->o2) * fuzz->slen * 8) + fuzz->o1,
118 		    ((fuzz_ullong)fuzz->slen * 8) * fuzz->slen * 8,
119 		    fuzz->o1, fuzz->o2);
123 		    fuzz_ntop(fuzz->strategy),
124 		    fuzz->o1, fuzz->slen, fuzz->o1);
128 		    fuzz_ntop(fuzz->strategy),
129 		    (((fuzz_ullong)fuzz->o2) * fuzz->slen) + fuzz->o1,
130 		    ((fuzz_ullong)fuzz->slen) * fuzz->slen,
131 		    fuzz->o1, fuzz->o2);
135 		    fuzz_ntop(fuzz->strategy),
136 		    fuzz->o1, fuzz->slen, fuzz->o1);
140 		    fuzz_ntop(fuzz->strategy),
141 		    fuzz->o1, fuzz->slen, fuzz->o1);
144 		assert(fuzz->o2 < sizeof(fuzz_b64chars) - 1);
146 		    fuzz_ntop(fuzz->strategy),
147 		    (fuzz->o1 * (fuzz_ullong)64) + fuzz->o2,
148 		    fuzz->slen * (fuzz_ullong)64, fuzz->o1,
149 		    fuzz_b64chars[fuzz->o2]);
184 fuzz_dump(struct fuzz *fuzz)
188 	if (fuzz_fmt(fuzz, buf, sizeof(buf)) != 0) {
189 		fprintf(stderr, "%s: fuzz invalid\n", __func__);
193 	fprintf(stderr, "fuzz original %p len = %zu\n", fuzz->seed, fuzz->slen);
194 	dump(fuzz->seed, fuzz->slen);
195 	fprintf(stderr, "fuzz context %p len = %zu\n", fuzz, fuzz_len(fuzz));
196 	dump(fuzz_ptr(fuzz), fuzz_len(fuzz));
200 static struct fuzz *last_fuzz;
216 struct fuzz *
219 	struct fuzz *ret = calloc(sizeof(*ret), 1);
245 fuzz_cleanup(struct fuzz *fuzz)
247 	FUZZ_DBG(("cleanup, fuzz = %p", fuzz));
252 	assert(fuzz != NULL);
253 	assert(fuzz->seed != NULL);
254 	assert(fuzz->fuzzed != NULL);
255 	free(fuzz->seed);
256 	free(fuzz->fuzzed);
257 	free(fuzz);
261 fuzz_strategy_done(struct fuzz *fuzz)
263 	FUZZ_DBG(("fuzz = %p, strategy = %s, o1 = %zu, o2 = %zu, slen = %zu",
264 	    fuzz, fuzz_ntop(fuzz->strategy), fuzz->o1, fuzz->o2, fuzz->slen));
266 	switch (fuzz->strategy) {
268 		return fuzz->o1 >= fuzz->slen * 8;
270 		return fuzz->o2 >= fuzz->slen * 8;
272 		return fuzz->o2 >= fuzz->slen;
277 		return fuzz->o1 >= fuzz->slen;
284 fuzz_next(struct fuzz *fuzz)
288 	FUZZ_DBG(("start, fuzz = %p, strategy = %s, strategies = 0x%lx, "
289 	    "o1 = %zu, o2 = %zu, slen = %zu", fuzz, fuzz_ntop(fuzz->strategy),
290 	    (u_long)fuzz->strategies, fuzz->o1, fuzz->o2, fuzz->slen));
292 	if (fuzz->strategy == 0 || fuzz_strategy_done(fuzz)) {
294 		if (fuzz->fuzzed == NULL) {
296 			fuzz->fuzzed = calloc(fuzz->slen, 1);
301 			if ((fuzz->strategies & i) != 0) {
302 				fuzz->strategy = i;
306 		FUZZ_DBG(("selected = %u", fuzz->strategy));
307 		if (fuzz->strategy == 0) {
311 		fuzz->strategies &= ~(fuzz->strategy);
312 		fuzz->o1 = fuzz->o2 = 0;
315 	assert(fuzz->fuzzed != NULL);
317 	switch (fuzz->strategy) {
319 		assert(fuzz->o1 / 8 < fuzz->slen);
320 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
321 		fuzz->fuzzed[fuzz->o1 / 8] ^= 1 << (fuzz->o1 % 8);
322 		fuzz->o1++;
325 		assert(fuzz->o1 / 8 < fuzz->slen);
326 		assert(fuzz->o2 / 8 < fuzz->slen);
327 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
328 		fuzz->fuzzed[fuzz->o1 / 8] ^= 1 << (fuzz->o1 % 8);
329 		fuzz->fuzzed[fuzz->o2 / 8] ^= 1 << (fuzz->o2 % 8);
330 		fuzz->o1++;
331 		if (fuzz->o1 >= fuzz->slen * 8) {
332 			fuzz->o1 = 0;
333 			fuzz->o2++;
337 		assert(fuzz->o1 < fuzz->slen);
338 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
339 		fuzz->fuzzed[fuzz->o1] ^= 0xff;
340 		fuzz->o1++;
343 		assert(fuzz->o1 < fuzz->slen);
344 		assert(fuzz->o2 < fuzz->slen);
345 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
346 		fuzz->fuzzed[fuzz->o1] ^= 0xff;
347 		fuzz->fuzzed[fuzz->o2] ^= 0xff;
348 		fuzz->o1++;
349 		if (fuzz->o1 >= fuzz->slen) {
350 			fuzz->o1 = 0;
351 			fuzz->o2++;
356 		assert(fuzz->o1 < fuzz->slen);
357 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
358 		fuzz->o1++;
361 		assert(fuzz->o1 < fuzz->slen);
362 		assert(fuzz->o2 < sizeof(fuzz_b64chars) - 1);
363 		memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
364 		fuzz->fuzzed[fuzz->o1] = fuzz_b64chars[fuzz->o2];
365 		fuzz->o2++;
366 		if (fuzz->o2 >= sizeof(fuzz_b64chars) - 1) {
367 			fuzz->o2 = 0;
368 			fuzz->o1++;
375 	FUZZ_DBG(("done, fuzz = %p, strategy = %s, strategies = 0x%lx, "
376 	    "o1 = %zu, o2 = %zu, slen = %zu", fuzz, fuzz_ntop(fuzz->strategy),
377 	    (u_long)fuzz->strategies, fuzz->o1, fuzz->o2, fuzz->slen));
381 fuzz_matches_original(struct fuzz *fuzz)
383 	if (fuzz_len(fuzz) != fuzz->slen)
385 	return memcmp(fuzz_ptr(fuzz), fuzz->seed, fuzz->slen) == 0;
389 fuzz_done(struct fuzz *fuzz)
391 	FUZZ_DBG(("fuzz = %p, strategies = 0x%lx", fuzz,
392 	    (u_long)fuzz->strategies));
394 	return fuzz_strategy_done(fuzz) && fuzz->strategies == 0;
398 fuzz_len(struct fuzz *fuzz)
400 	assert(fuzz->fuzzed != NULL);
401 	switch (fuzz->strategy) {
407 		return fuzz->slen;
410 		assert(fuzz->o1 <= fuzz->slen);
411 		return fuzz->slen - fuzz->o1;
418 fuzz_ptr(struct fuzz *fuzz)
420 	assert(fuzz->fuzzed != NULL);
421 	switch (fuzz->strategy) {
427 		return fuzz->fuzzed;
429 		assert(fuzz->o1 <= fuzz->slen);
430 		return fuzz->fuzzed + fuzz->o1;
432 		assert(fuzz->o1 <= fuzz->slen);
433 		return fuzz->fuzzed;

Indexes created Fri Jun 14 05:58:36 MDT 2024