[libFuzzer] add one more mutation strategy: byte shuffling

llvm-svn: 244188

1 files changed, 15 insertions, 1 deletions

diff --git a/llvm/lib/Fuzzer/FuzzerMutate.cpp b/llvm/lib/Fuzzer/FuzzerMutate.cpp
index fc31762..c425ae0 100644
--- a/llvm/lib/Fuzzer/FuzzerMutate.cpp
+++ b/llvm/lib/Fuzzer/FuzzerMutate.cpp
@@ -13,6 +13,8 @@
 
 #include "FuzzerInternal.h"
 
+#include <algorithm>
+
 namespace fuzzer {
 
 static char FlipRandomBit(char X, FuzzerRandomBase &Rand) {
@@ -33,6 +35,17 @@ static char RandCh(FuzzerRandomBase &Rand) {
   return Special[Rand(sizeof(Special) - 1)];
 }
 
+size_t Mutate_ShuffleBytes(uint8_t *Data, size_t Size, size_t MaxSize,
+                           FuzzerRandomBase &Rand) {
+  assert(Size);
+  size_t ShuffleAmount = Rand(std::min(Size, 8UL)) + 1;  // [1,8] and <= Size.
+  size_t ShuffleStart = Rand(Size - ShuffleAmount);
+  assert(ShuffleStart + ShuffleAmount <= Size);
+  std::random_shuffle(Data + ShuffleStart, Data + ShuffleStart + ShuffleAmount,
+                      Rand);
+  return Size;
+}
+
 size_t Mutate_EraseByte(uint8_t *Data, size_t Size, size_t MaxSize,
                         FuzzerRandomBase &Rand) {
   assert(Size);
@@ -78,11 +91,12 @@ size_t Mutate(uint8_t *Data, size_t Size, size_t MaxSize,
     return MaxSize;
   }
   assert(Size > 0);
-  switch (Rand(4)) {
+  switch (Rand(5)) {
   case 0: Size = Mutate_EraseByte(Data, Size, MaxSize, Rand); break;
   case 1: Size = Mutate_InsertByte(Data, Size, MaxSize, Rand); break;
   case 2: Size = Mutate_ChangeByte(Data, Size, MaxSize, Rand); break;
   case 3: Size = Mutate_ChangeBit(Data, Size, MaxSize, Rand); break;
+  case 4: Size = Mutate_ShuffleBytes(Data, Size, MaxSize, Rand); break;
   }
   assert(Size > 0);
   return Size;