ZeroErr
fuzztest.h
Go to the documentation of this file.
1 #pragma once
2 
3 #include "zeroerr/internal/config.h"
4 #include "zeroerr/unittest.h"
5 
6 #include "zeroerr/domains/aggregate_of.h"
7 #include "zeroerr/domains/arbitrary.h"
8 #include "zeroerr/domains/container_of.h"
9 #include "zeroerr/domains/element_of.h"
10 #include "zeroerr/domains/in_range.h"
11 #include "zeroerr/internal/rng.h"
12 
13 
14 #include <exception>
15 #include <functional>
16 #include <string>
17 #include <tuple>
18 #include <type_traits>
19 #include <vector>
20 
21 ZEROERR_SUPPRESS_COMMON_WARNINGS_PUSH
22 
23 #define ZEROERR_CREATE_FUZZ_TEST_FUNC(function, name) \
24  static void function(zeroerr::TestContext*); \
25  static zeroerr::detail::regTest ZEROERR_NAMEGEN(_zeroerr_reg)( \
26  {name, __FILE__, __LINE__, function}, zeroerr::TestType::fuzz_test); \
27  static void function(ZEROERR_UNUSED(zeroerr::TestContext* _ZEROERR_TEST_CONTEXT))
28 
29 #define FUZZ_TEST_CASE(name) ZEROERR_CREATE_FUZZ_TEST_FUNC(ZEROERR_NAMEGEN(_zeroerr_testcase), name)
30 
31 #define FUZZ_FUNC(func) zeroerr::FuzzFunction(func, _ZEROERR_TEST_CONTEXT)
32 
33 
34 namespace zeroerr {
35 
36 namespace detail {
37 
42 template <typename... Args>
43 struct FunctionDecomposition {
44  static constexpr size_t numOfArgs = sizeof...(Args);
45  using ValueType = std::tuple<Args...>;
46 };
47 
48 template <typename... Args>
49 FunctionDecomposition<typename std::decay<Args>::type...> FunctionDecompositionImpl(
50  void (*)(Args...));
51 
52 template <typename... Args>
53 FunctionDecomposition<typename std::decay<Args>::type...> FunctionDecompositionImpl(
54  std::function<void(Args...)>);
55 
56 
57 template <typename T>
58 struct memfun_type {
59  using type = void;
60 };
61 
62 template <typename Ret, typename Class, typename... Args>
63 struct memfun_type<Ret (Class::*)(Args...) const> {
64  using ret_type = FunctionDecomposition<typename std::decay<Args>::type...>;
65 };
66 
67 template <typename F>
68 typename memfun_type<decltype(&F::operator())>::ret_type FunctionDecompositionImpl(F);
69 
70 
71 template <typename T>
72 using FunctionDecompositionT = decltype(FunctionDecompositionImpl(std::declval<T>()));
73 
74 } // namespace detail
75 
76 
82 template <typename TargetFunction,
83  typename FuncType = detail::FunctionDecompositionT<TargetFunction>>
84 struct FuzzTest;
85 
86 template <typename TargetFunction, typename FuncType, typename Domain,
87  typename Base = FuzzTest<TargetFunction, FuncType>>
88 struct FuzzTestWithDomain;
89 
90 struct IFuzzTest {
91  virtual void Run(int count = 1000, int seed = 0) = 0;
92  virtual void RunOneTime(const uint8_t* data, size_t size) = 0;
93  virtual std::string MutateData(const uint8_t* data, size_t size, size_t max_size,
94  unsigned int seed) = 0;
95 
96  int count = 0, max_count = 0;
97  bool should_stop() { return count == max_count; }
98 };
99 
100 class FuzzFinishedException : public std::exception {
101 public:
102  virtual const char* what() const throw() { return "Fuzzing finished"; }
103 };
104 
105 // The details are described in the declaration of the class.
106 template <typename TargetFunction, typename FuncType>
107 struct FuzzTest : IFuzzTest {
108  using ValueType = typename FuncType::ValueType;
109  FuzzTest(TargetFunction func, TestContext* context) : func(func), context(context) {}
110  FuzzTest(const FuzzTest& other)
111  : func(other.func), context(other.context), seeds(other.seeds) {}
112 
113  template <typename... T>
114  using FuzzTestWithDomainType =
115  FuzzTestWithDomain<TargetFunction, FuncType,
116  AggregateOf<std::tuple<typename T::ValueType...>, T...>>;
117 
121  template <typename... T>
122  FuzzTestWithDomainType<T...> WithDomains(
123  AggregateOf<std::tuple<typename T::ValueType...>, T...> domain) {
124  return FuzzTestWithDomainType<T...>(*this, domain);
125  }
126 
132  template <typename... T>
133  FuzzTestWithDomainType<T...> WithDomains(T&&... domains) {
134  return WithDomains(TupleOf(std::forward<T>(domains)...));
135  }
136 
137  FuzzTest& WithSeeds(std::vector<ValueType> _seeds) {
138  this->seeds.insert(this->seeds.end(), _seeds.begin(), _seeds.end());
139  return *this;
140  }
141 
142  // This should create default domains
143  virtual void Run(int = 1000, int = 0) {}
144  virtual void RunOneTime(const uint8_t*, size_t) {}
145  virtual std::string MutateData(const uint8_t*, size_t, size_t, unsigned int) { return ""; }
146 
147  TargetFunction func;
148  TestContext* context;
149  std::vector<ValueType> seeds;
150 };
151 
152 extern void RunFuzzTest(IFuzzTest& fuzz_test, int seed = 0, int runs = 1000, int max_len = 0,
153  int timeout = 1200, int len_control = 100);
154 
155 
163 template <typename TargetFunction, typename FuncType, typename Domain, typename Base>
164 struct FuzzTestWithDomain : public Base {
165  FuzzTestWithDomain(const Base& ft, const Domain& domain) : Base(ft), m_domain(domain) {}
166 
167  virtual void Run(int _count = 1000, int _seed = 0) override {
168  Base::count = 1;
169  Base::max_count = _count;
170  m_rng = new Rng(_seed);
171  RunFuzzTest(*this, _seed, _count, 500, 1200, 1);
172  delete m_rng;
173  m_rng = nullptr;
174  }
175 
176  typename Domain::CorpusType GetRandomCorpus() {
177  Rng& rng = *this->m_rng;
178  if (Base::seeds.size() > 0 && rng.bounded(2) == 0) {
179  return m_domain.FromValue(Base::seeds[rng() % Base::seeds.size()]);
180  }
181  return m_domain.GetRandomCorpus(rng);
182  }
183 
184  typename Domain::CorpusType TryParse(const std::string& input) {
185  try {
186  IRObject obj = IRObject::FromString(input);
187  if (obj.type == IRObject::Type::Undefined) return GetRandomCorpus();
188  return m_domain.ParseCorpus(obj);
189  } catch (...) {
190  return GetRandomCorpus();
191  }
192  }
193 
194  template <typename T, unsigned... I>
195  void apply(T args, detail::seq<I...>) {
196  this->func(std::get<I>(args)...);
197  }
198 
199  virtual void RunOneTime(const uint8_t* data, size_t size) override {
200  Base::count++;
201  std::string input = std::string((const char*)data, size);
202  typename Domain::CorpusType corpus = TryParse(input);
203  typename Domain::ValueType value = m_domain.GetValue(corpus);
204  apply(value, detail::gen_seq<std::tuple_size<typename Domain::ValueType>::value>{});
205  }
206 
207  virtual std::string MutateData(const uint8_t* data, size_t size, size_t max_size,
208  unsigned int seed) override {
209  Rng rng(seed);
210  std::string input = std::string((const char*)data, size);
211  typename Domain::CorpusType corpus = TryParse(input);
212  m_domain.Mutate(rng, corpus, false);
213  IRObject mutated_obj = m_domain.SerializeCorpus(corpus);
214  return IRObject::ToString(mutated_obj);
215  }
216 
217  Domain m_domain;
218  Rng* m_rng;
219 };
220 
221 
222 template <typename T>
223 FuzzTest<T> FuzzFunction(T func, TestContext* context) {
224  return FuzzTest<T>(func, context);
225 }
226 
227 template <typename T>
228 std::vector<T> ReadCorpusFromDir(std::string dir);
229 
230 
231 } // namespace zeroerr
232 
233 
234 ZEROERR_SUPPRESS_COMMON_WARNINGS_POP
aggregate_of.h
zeroerr::AggregateOf
Definition: aggregate_of.h:17
zeroerr::Domain
Domain class for generating random values of a specific type.
Definition: domain.h:22
zeroerr::Domain::GetValue
virtual ValueType GetValue(const CorpusType &v) const =0
zeroerr::Domain::Mutate
virtual void Mutate(Rng &rng, CorpusType &v, bool only_shrink=false) const =0
zeroerr::Domain::GetRandomCorpus
virtual CorpusType GetRandomCorpus(Rng &rng) const =0
zeroerr::Domain::SerializeCorpus
virtual IRObject SerializeCorpus(const CorpusType &v) const
Definition: domain.h:33
zeroerr::Domain::FromValue
virtual CorpusType FromValue(const ValueType &v) const =0
zeroerr::Domain::ParseCorpus
virtual CorpusType ParseCorpus(IRObject v) const
Definition: domain.h:32
zeroerr::FuzzFinishedException
Definition: fuzztest.h:100
zeroerr::FuzzFinishedException::what
virtual const char * what() const
Definition: fuzztest.h:102
zeroerr::Rng
Definition: rng.h:30
zeroerr::Rng::bounded
uint32_t bounded(uint32_t range) noexcept
Definition: rng.h:126
zeroerr::TestContext
TestContext is a class that holds the test results and reporter context. There are 8 different matric...
Definition: unittest.h:67
ZEROERR_SUPPRESS_COMMON_WARNINGS_POP
#define ZEROERR_SUPPRESS_COMMON_WARNINGS_POP
Definition: config.h:265
ZEROERR_SUPPRESS_COMMON_WARNINGS_PUSH
#define ZEROERR_SUPPRESS_COMMON_WARNINGS_PUSH
Definition: config.h:218
container_of.h
element_of.h
in_range.h
zeroerr::detail::FunctionDecompositionT
decltype(FunctionDecompositionImpl(std::declval< T >())) FunctionDecompositionT
Definition: fuzztest.h:72
zeroerr::detail::FunctionDecompositionImpl
FunctionDecomposition< typename std::decay< Args >::type... > FunctionDecompositionImpl(void(*)(Args...))
zeroerr
Definition: benchmark.cpp:17
zeroerr::RunFuzzTest
void RunFuzzTest(IFuzzTest &fuzz_test, int seed, int runs, int max_len, int timeout, int len_control)
Definition: fuzztest.cpp:32
zeroerr::ReadCorpusFromDir
std::vector< T > ReadCorpusFromDir(std::string dir)
zeroerr::fuzz_test
@ fuzz_test
Definition: unittest.h:254
zeroerr::TupleOf
AggregateOf< std::tuple< typename Inner::ValueType... >, Inner... > TupleOf(Inner &&... inner)
Definition: aggregate_of.h:83
zeroerr::FuzzFunction
FuzzTest< T > FuzzFunction(T func, TestContext *context)
Definition: fuzztest.h:223
zeroerr::FuzzTestWithDomain
FuzzTestWithDomain implements the Base class with the domain passed into.
Definition: fuzztest.h:164
zeroerr::FuzzTestWithDomain::m_domain
Domain m_domain
Definition: fuzztest.h:217
zeroerr::FuzzTestWithDomain::FuzzTestWithDomain
FuzzTestWithDomain(const Base &ft, const Domain &domain)
Definition: fuzztest.h:165
zeroerr::FuzzTestWithDomain::GetRandomCorpus
Domain::CorpusType GetRandomCorpus()
Definition: fuzztest.h:176
zeroerr::FuzzTestWithDomain::RunOneTime
virtual void RunOneTime(const uint8_t *data, size_t size) override
Definition: fuzztest.h:199
zeroerr::FuzzTestWithDomain::apply
void apply(T args, detail::seq< I... >)
Definition: fuzztest.h:195
zeroerr::FuzzTestWithDomain::MutateData
virtual std::string MutateData(const uint8_t *data, size_t size, size_t max_size, unsigned int seed) override
Definition: fuzztest.h:207
zeroerr::FuzzTestWithDomain::m_rng
Rng * m_rng
Definition: fuzztest.h:218
zeroerr::FuzzTestWithDomain::Run
virtual void Run(int _count=1000, int _seed=0) override
Definition: fuzztest.h:167
zeroerr::FuzzTestWithDomain::TryParse
Domain::CorpusType TryParse(const std::string &input)
Definition: fuzztest.h:184
zeroerr::FuzzTest
FuzzTest is a template class to create a fuzz test for the target function.
Definition: fuzztest.h:107
zeroerr::FuzzTest::func
TargetFunction func
Definition: fuzztest.h:147
zeroerr::FuzzTest::FuzzTest
FuzzTest(TargetFunction func, TestContext *context)
Definition: fuzztest.h:109
zeroerr::FuzzTest::WithDomains
FuzzTestWithDomainType< T... > WithDomains(T &&... domains)
Definition: fuzztest.h:133
zeroerr::FuzzTest::seeds
std::vector< ValueType > seeds
Definition: fuzztest.h:149
zeroerr::FuzzTest::context
TestContext * context
Definition: fuzztest.h:148
zeroerr::FuzzTest::Run
virtual void Run(int=1000, int=0)
Definition: fuzztest.h:143
zeroerr::FuzzTest::RunOneTime
virtual void RunOneTime(const uint8_t *, size_t)
Definition: fuzztest.h:144
zeroerr::FuzzTest::ValueType
typename FuncType::ValueType ValueType
Definition: fuzztest.h:108
zeroerr::FuzzTest::WithDomains
FuzzTestWithDomainType< T... > WithDomains(AggregateOf< std::tuple< typename T::ValueType... >, T... > domain)
Definition: fuzztest.h:122
zeroerr::FuzzTest::WithSeeds
FuzzTest & WithSeeds(std::vector< ValueType > _seeds)
Definition: fuzztest.h:137
zeroerr::FuzzTest::FuzzTest
FuzzTest(const FuzzTest &other)
Definition: fuzztest.h:110
zeroerr::FuzzTest::MutateData
virtual std::string MutateData(const uint8_t *, size_t, size_t, unsigned int)
Definition: fuzztest.h:145
zeroerr::IFuzzTest
Definition: fuzztest.h:90
zeroerr::IFuzzTest::RunOneTime
virtual void RunOneTime(const uint8_t *data, size_t size)=0
zeroerr::IFuzzTest::MutateData
virtual std::string MutateData(const uint8_t *data, size_t size, size_t max_size, unsigned int seed)=0
zeroerr::IFuzzTest::Run
virtual void Run(int count=1000, int seed=0)=0
zeroerr::IFuzzTest::should_stop
bool should_stop()
Definition: fuzztest.h:97
zeroerr::IFuzzTest::max_count
int max_count
Definition: fuzztest.h:96
zeroerr::IFuzzTest::count
int count
Definition: fuzztest.h:96
zeroerr::IRObject
Definition: serialization.h:17
zeroerr::IRObject::ToString
static std::string ToString(IRObject obj)
Definition: serialization.cpp:133
zeroerr::IRObject::FromString
static IRObject FromString(std::string str)
Definition: serialization.cpp:139
zeroerr::IRObject::type
unsigned type
Definition: serialization.h:42
zeroerr::detail::FunctionDecomposition
FunctionDecomposition is a meta function to decompose the function type. The ValueType and numOfArgs ...
Definition: fuzztest.h:43
zeroerr::detail::FunctionDecomposition::ValueType
std::tuple< Args... > ValueType
Definition: fuzztest.h:45
zeroerr::detail::FunctionDecomposition::numOfArgs
static constexpr size_t numOfArgs
Definition: fuzztest.h:44
zeroerr::detail::gen_seq
Definition: typetraits.h:58
zeroerr::detail::memfun_type
Definition: fuzztest.h:58
zeroerr::detail::memfun_type::type
void type
Definition: fuzztest.h:59
zeroerr::detail::seq
Definition: typetraits.h:55