diff options
| author | Kostya Serebryany <kcc@google.com> | 2015-01-27 22:08:41 +0000 |
|---|---|---|
| committer | Kostya Serebryany <kcc@google.com> | 2015-01-27 22:08:41 +0000 |
| commit | d53b43fe117c619aad57b5bf80000d1617eb142d (patch) | |
| tree | 71b45ceb5839c384fcd2501ad10c70f084e2f86f /llvm/lib/Fuzzer/FuzzerMutate.cpp | |
| parent | 7a503694febda8648e39417ba9039e3adeed5e36 (diff) | |
| download | llvm-d53b43fe117c619aad57b5bf80000d1617eb142d.zip llvm-d53b43fe117c619aad57b5bf80000d1617eb142d.tar.gz llvm-d53b43fe117c619aad57b5bf80000d1617eb142d.tar.bz2 | |
Add a Fuzzer library
Summary:
A simple genetic in-process coverage-guided fuzz testing library.
I've used this fuzzer to test clang-format
(it found 12+ bugs, thanks djasper@ for the fixes!)
and it may also help us test other parts of LLVM.
So why not keep it in the LLVM repository?
I plan to add the cmake build rules later (in a separate patch, if that's ok)
and also add a clang-format-fuzzer target.
See README.txt for details.
Test Plan: Tests will follow separately.
Reviewers: djasper, chandlerc, rnk
Reviewed By: rnk
Subscribers: majnemer, ygribov, dblaikie, llvm-commits
Differential Revision: http://reviews.llvm.org/D7184
llvm-svn: 227252
Diffstat (limited to 'llvm/lib/Fuzzer/FuzzerMutate.cpp')
| -rw-r--r-- | llvm/lib/Fuzzer/FuzzerMutate.cpp | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/llvm/lib/Fuzzer/FuzzerMutate.cpp b/llvm/lib/Fuzzer/FuzzerMutate.cpp new file mode 100644 index 0000000..2db8fac9 --- /dev/null +++ b/llvm/lib/Fuzzer/FuzzerMutate.cpp @@ -0,0 +1,62 @@ +//===- FuzzerMutate.cpp - Mutate a test input -----------------------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// Mutate a test input. +//===----------------------------------------------------------------------===// + +#include "FuzzerInternal.h" + +namespace fuzzer { + +static char FlipRandomBit(char X) { + int Bit = rand() % 8; + char Mask = 1 << Bit; + char R; + if (X & (1 << Bit)) + R = X & ~Mask; + else + R = X | Mask; + assert(R != X); + return R; +} + +static char RandCh() { + if (rand() % 2) return rand(); + const char *Special = "!*'();:@&=+$,/?%#[]123ABCxyz-`~."; + return Special[rand() % (sizeof(Special) - 1)]; +} + +void Mutate(Unit *U, size_t MaxLen) { + assert(MaxLen > 0); + assert(U->size() <= MaxLen); + switch (rand() % 3) { + case 0: + if (U->size()) + U->erase(U->begin() + rand() % U->size()); + break; + case 1: + if (U->empty()) { + U->push_back(RandCh()); + } else if (U->size() < MaxLen) { + U->insert(U->begin() + rand() % U->size(), RandCh()); + } else { // At MaxLen. + uint8_t Ch = RandCh(); + size_t Idx = rand() % U->size(); + (*U)[Idx] = Ch; + } + break; + default: + if (!U->empty()) { + size_t idx = rand() % U->size(); + (*U)[idx] = FlipRandomBit((*U)[idx]); + } + break; + } +} + +} // namespace fuzzer |