1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
//===- FuzzerAdapter.h - Arbitrary function Fuzzer adapter -------*- C++ -*===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// W A R N I N G : E X P E R I M E N T A L.
//
// Defines an adapter to fuzz functions with (almost) arbitrary signatures.
//===----------------------------------------------------------------------===//
#ifndef LLVM_FUZZER_ADAPTER_H
#define LLVM_FUZZER_ADAPTER_H
#include <stddef.h>
#include <stdint.h>
#include <algorithm>
#include <string>
#include <tuple>
#include <vector>
namespace fuzzer {
/// Unpacks bytes from \p Data according to \p F argument types
/// and calls the function.
/// Use to automatically adapt LLVMFuzzerTestOneInput interface to
/// a specific function.
/// Supported argument types: primitive types, std::vector<uint8_t>.
template <typename Fn> bool Adapt(Fn F, const uint8_t *Data, size_t Size);
// The implementation performs several steps:
// - function argument types are obtained (Args...)
// - data is unpacked into std::tuple<Args...> one by one
// - function is called with std::tuple<Args...> containing arguments.
namespace impl {
// Single argument unpacking.
template <typename T>
size_t UnpackPrimitive(const uint8_t *Data, size_t Size, T *Value) {
if (Size < sizeof(T))
return Size;
*Value = *reinterpret_cast<const T *>(Data);
return Size - sizeof(T);
}
/// Unpacks into a given Value and returns the Size - num_consumed_bytes.
/// Return value equal to Size signals inability to unpack the data (typically
/// because there are not enough bytes).
template <typename T>
size_t UnpackSingle(const uint8_t *Data, size_t Size, T *Value);
#define UNPACK_SINGLE_PRIMITIVE(Type) \
template <> \
size_t UnpackSingle<Type>(const uint8_t *Data, size_t Size, Type *Value) { \
return UnpackPrimitive(Data, Size, Value); \
}
UNPACK_SINGLE_PRIMITIVE(char)
UNPACK_SINGLE_PRIMITIVE(signed char)
UNPACK_SINGLE_PRIMITIVE(unsigned char)
UNPACK_SINGLE_PRIMITIVE(short int)
UNPACK_SINGLE_PRIMITIVE(unsigned short int)
UNPACK_SINGLE_PRIMITIVE(int)
UNPACK_SINGLE_PRIMITIVE(unsigned int)
UNPACK_SINGLE_PRIMITIVE(long int)
UNPACK_SINGLE_PRIMITIVE(unsigned long int)
UNPACK_SINGLE_PRIMITIVE(bool)
UNPACK_SINGLE_PRIMITIVE(wchar_t)
UNPACK_SINGLE_PRIMITIVE(float)
UNPACK_SINGLE_PRIMITIVE(double)
UNPACK_SINGLE_PRIMITIVE(long double)
#undef UNPACK_SINGLE_PRIMITIVE
template <>
size_t UnpackSingle<std::vector<uint8_t>>(const uint8_t *Data, size_t Size,
std::vector<uint8_t> *Value) {
if (Size < 1)
return Size;
size_t Len = std::min(static_cast<size_t>(*Data), Size - 1);
std::vector<uint8_t> V(Data + 1, Data + 1 + Len);
Value->swap(V);
return Size - Len - 1;
}
template <>
size_t UnpackSingle<std::string>(const uint8_t *Data, size_t Size,
std::string *Value) {
if (Size < 1)
return Size;
size_t Len = std::min(static_cast<size_t>(*Data), Size - 1);
std::string S(Data + 1, Data + 1 + Len);
Value->swap(S);
return Size - Len - 1;
}
// Unpacking into arbitrary tuple.
// Recursion guard.
template <int N, typename TupleT>
typename std::enable_if<N == std::tuple_size<TupleT>::value, bool>::type
UnpackImpl(const uint8_t *Data, size_t Size, TupleT *Tuple) {
return true;
}
// Unpack tuple elements starting from Nth.
template <int N, typename TupleT>
typename std::enable_if<N < std::tuple_size<TupleT>::value, bool>::type
UnpackImpl(const uint8_t *Data, size_t Size, TupleT *Tuple) {
size_t NewSize = UnpackSingle(Data, Size, &std::get<N>(*Tuple));
if (NewSize == Size) {
return false;
}
return UnpackImpl<N + 1, TupleT>(Data + (Size - NewSize), NewSize, Tuple);
}
// Unpacks into arbitrary tuple and returns true if successful.
template <typename... Args>
bool Unpack(const uint8_t *Data, size_t Size, std::tuple<Args...> *Tuple) {
return UnpackImpl<0, std::tuple<Args...>>(Data, Size, Tuple);
}
// Helper integer sequence templates.
template <int...> struct Seq {};
template <int N, int... S> struct GenSeq : GenSeq<N - 1, N - 1, S...> {};
// GenSeq<N>::type is Seq<0, 1, ..., N-1>
template <int... S> struct GenSeq<0, S...> { typedef Seq<S...> type; };
// Function signature introspection.
template <typename T> struct FnTraits {};
template <typename ReturnType, typename... Args>
struct FnTraits<ReturnType (*)(Args...)> {
enum { Arity = sizeof...(Args) };
typedef std::tuple<Args...> ArgsTupleT;
};
// Calling a function with arguments in a tuple.
template <typename Fn, int... S>
void ApplyImpl(Fn F, const typename FnTraits<Fn>::ArgsTupleT &Params,
Seq<S...>) {
F(std::get<S>(Params)...);
}
template <typename Fn>
void Apply(Fn F, const typename FnTraits<Fn>::ArgsTupleT &Params) {
// S is Seq<0, ..., Arity-1>
auto S = typename GenSeq<FnTraits<Fn>::Arity>::type();
ApplyImpl(F, Params, S);
}
// Unpacking data into arguments tuple of correct type and calling the function.
template <typename Fn>
bool UnpackAndApply(Fn F, const uint8_t *Data, size_t Size) {
typename FnTraits<Fn>::ArgsTupleT Tuple;
if (!Unpack(Data, Size, &Tuple))
return false;
Apply(F, Tuple);
return true;
}
} // namespace impl
template <typename Fn> bool Adapt(Fn F, const uint8_t *Data, size_t Size) {
return impl::UnpackAndApply(F, Data, Size);
}
} // namespace fuzzer
#endif
|
