From fb7d8d9d06e3bd24eb830fb7d3f3fb675043ec8a Mon Sep 17 00:00:00 2001
From: Kostya Serebryany <kcc@google.com>
Date: Fri, 31 Jul 2015 01:33:06 +0000
Subject: [libFuzzer] trace switch statements and apply mutations based on the
 expected case values

llvm-svn: 243726
---
 llvm/lib/Fuzzer/test/CMakeLists.txt |  1 +
 llvm/lib/Fuzzer/test/SwitchTest.cpp | 35 +++++++++++++++++++++++++++++++++++
 llvm/lib/Fuzzer/test/fuzzer.test    |  3 +++
 3 files changed, 39 insertions(+)
 create mode 100644 llvm/lib/Fuzzer/test/SwitchTest.cpp

(limited to 'llvm/lib/Fuzzer/test')

diff --git a/llvm/lib/Fuzzer/test/CMakeLists.txt b/llvm/lib/Fuzzer/test/CMakeLists.txt
index 4cff70c1111..ac21b460944 100644
--- a/llvm/lib/Fuzzer/test/CMakeLists.txt
+++ b/llvm/lib/Fuzzer/test/CMakeLists.txt
@@ -21,6 +21,7 @@ set(Tests
   SimpleCmpTest
   SimpleTest
   StrncmpTest
+  SwitchTest
   TimeoutTest
   )
 
diff --git a/llvm/lib/Fuzzer/test/SwitchTest.cpp b/llvm/lib/Fuzzer/test/SwitchTest.cpp
new file mode 100644
index 00000000000..6e300aa44e1
--- /dev/null
+++ b/llvm/lib/Fuzzer/test/SwitchTest.cpp
@@ -0,0 +1,35 @@
+// Simple test for a fuzzer. The fuzzer must find the interesting switch value.
+#include <cstdint>
+#include <cstdlib>
+#include <cstring>
+#include <cstddef>
+#include <iostream>
+
+static volatile int Sink;
+
+template<class T>
+bool Switch(const uint8_t *Data, size_t Size) {
+  T X;
+  if (Size < sizeof(X)) return false;
+  memcpy(&X, Data, sizeof(X));
+  switch (X) {
+    case 1: Sink = __LINE__; break;
+    case 101: Sink = __LINE__; break;
+    case 1001: Sink = __LINE__; break;
+    case 10001: Sink = __LINE__; break;
+    case 100001: Sink = __LINE__; break;
+    case 1000001: Sink = __LINE__; break;
+    case 10000001: Sink = __LINE__; break;
+    case 100000001: return true;
+  }
+  return false;
+}
+
+extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Switch<int>(Data, Size) && Size >= 12 &&
+      Switch<uint64_t>(Data + 4, Size - 4)) {
+    std::cout << "BINGO; Found the target, exiting\n";
+    exit(1);
+  }
+}
+
diff --git a/llvm/lib/Fuzzer/test/fuzzer.test b/llvm/lib/Fuzzer/test/fuzzer.test
index d6dd3ff7c95..63cb9573efa 100644
--- a/llvm/lib/Fuzzer/test/fuzzer.test
+++ b/llvm/lib/Fuzzer/test/fuzzer.test
@@ -31,3 +31,6 @@ Done1000000: Done 1000000 runs in
 
 RUN: not LLVMFuzzer-StrncmpTest -use_traces=1 -seed=1 -runs=10000    2>&1 | FileCheck %s
 RUN:     LLVMFuzzer-StrncmpTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
+
+RUN: not LLVMFuzzer-SwitchTest -use_traces=1 -seed=1 -runs=100000    2>&1 | FileCheck %s
+RUN:     LLVMFuzzer-SwitchTest               -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
-- 
cgit v1.2.3