Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / external / github.com / llvm / llvm-project / libcxx / a97ab84cd0a0fab558fad28c84360c4268667c48 / . / fuzzing / fuzzing.cpp
blob: 66a9d6af2e4bf1492d5e10eab845f0bdeb8935e5 [file] [log] [blame]
Marshall Clowbaa6fb32017-10-04 22:23:03 +0000[diff] [blame]1// -*- C++ -*-
2//===------------------------- fuzzing.cpp -------------------------------===//
3//
4// The LLVM Compiler Infrastructure
5//
6// This file is dual licensed under the MIT and the University of Illinois Open
7// Source Licenses. See LICENSE.TXT for details.
8//
9//===----------------------------------------------------------------------===//
10
11// A set of routines to use when fuzzing the algorithms in libc++
12// Each one tests a single algorithm.
13//
14// They all have the form of:
15// int `algorithm`(const uint8_t *data, size_t size);
16//
17// They perform the operation, and then check to see if the results are correct.
18// If so, they return zero, and non-zero otherwise.
19//
20// For example, sort calls std::sort, then checks two things:
21// (1) The resulting vector is sorted
22// (2) The resulting vector contains the same elements as the original data.
23
24
25
26#include "fuzzing.h"
27#include <vector>
28#include <algorithm>
Marshall Clowa97ab842017-10-23 23:19:30 +0000[diff] [blame^]29#include <functional>
Marshall Clowd84736b2017-10-12 14:48:09 +0000[diff] [blame]30#include <regex>
Marshall Clowbaa6fb32017-10-04 22:23:03 +0000[diff] [blame]31
Marshall Clowa97ab842017-10-23 23:19:30 +0000[diff] [blame^]32#include <iostream>
33
34// If we had C++14, we could use the four iterator version of is_permutation and equal
Marshall Clowbaa6fb32017-10-04 22:23:03 +0000[diff] [blame]35
36namespace fuzzing {
37
38// This is a struct we can use to test the stable_XXX algorithms.
39// perform the operation on the key, then check the order of the payload.
40
41struct stable_test {
42 uint8_t key;
Marshall Clow716c16d2017-10-18 20:40:57 +0000[diff] [blame]43 size_t payload;
Marshall Clowbaa6fb32017-10-04 22:23:03 +0000[diff] [blame]44
45 stable_test(uint8_t k) : key(k), payload(0) {}
Marshall Clow716c16d2017-10-18 20:40:57 +0000[diff] [blame]46 stable_test(uint8_t k, size_t p) : key(k), payload(p) {}
Marshall Clowbaa6fb32017-10-04 22:23:03 +0000[diff] [blame]47 };
48
49void swap(stable_test &lhs, stable_test &rhs)
50{
51 using std::swap;
52 swap(lhs.key, rhs.key);
53 swap(lhs.payload, rhs.payload);
54}
55
56struct key_less
57{
58 bool operator () (const stable_test &lhs, const stable_test &rhs) const
59 {
60 return lhs.key < rhs.key;
61 }
62};
63
64struct payload_less
65{
66 bool operator () (const stable_test &lhs, const stable_test &rhs) const
67 {
68 return lhs.payload < rhs.payload;
69 }
70};
71
72struct total_less
73{
74 bool operator () (const stable_test &lhs, const stable_test &rhs) const
75 {
76 return lhs.key == rhs.key ? lhs.payload < rhs.payload : lhs.key < rhs.key;
77 }
78};
79
80bool operator==(const stable_test &lhs, const stable_test &rhs)
81{
82 return lhs.key == rhs.key && lhs.payload == rhs.payload;
83}
84
85
86template<typename T>
87struct is_even
88{
89 bool operator () (const T &t) const
90 {
91 return t % 2 == 0;
92 }
93};
94
95
96template<>
97struct is_even<stable_test>
98{
99 bool operator () (const stable_test &t) const
100 {
101 return t.key % 2 == 0;
102 }
103};
104
105// == sort ==
106
107int sort(const uint8_t *data, size_t size)
108{
109 std::vector<uint8_t> working(data, data + size);
110 std::sort(working.begin(), working.end());
111
112 if (!std::is_sorted(working.begin(), working.end())) return 1;
113 if (!std::is_permutation(data, data + size, working.begin())) return 99;
114 return 0;
115}
116
117
118// == stable_sort ==
119
120int stable_sort(const uint8_t *data, size_t size)
121{
122 std::vector<stable_test> input;
123 for (size_t i = 0; i < size; ++i)
124 input.push_back(stable_test(data[i], i));
125 std::vector<stable_test> working = input;
126 std::stable_sort(working.begin(), working.end(), key_less());
127
128 if (!std::is_sorted(working.begin(), working.end(), key_less())) return 1;
129 auto iter = working.begin();
130 while (iter != working.end())
131 {
132 auto range = std::equal_range(iter, working.end(), *iter, key_less());
133 if (!std::is_sorted(range.first, range.second, total_less())) return 2;
134 iter = range.second;
135 }
136 if (!std::is_permutation(input.begin(), input.end(), working.begin())) return 99;
137 return 0;
138}
139
140// == partition ==
141
142int partition(const uint8_t *data, size_t size)
143{
144 std::vector<uint8_t> working(data, data + size);
145 auto iter = std::partition(working.begin(), working.end(), is_even<uint8_t>());
146
147 if (!std::all_of (working.begin(), iter, is_even<uint8_t>())) return 1;
148 if (!std::none_of(iter, working.end(), is_even<uint8_t>())) return 2;
149 if (!std::is_permutation(data, data + size, working.begin())) return 99;
150 return 0;
151}
152
153
154// == stable_partition ==
155
156int stable_partition (const uint8_t *data, size_t size)
157{
158 std::vector<stable_test> input;
159 for (size_t i = 0; i < size; ++i)
160 input.push_back(stable_test(data[i], i));
161 std::vector<stable_test> working = input;
162 auto iter = std::stable_partition(working.begin(), working.end(), is_even<stable_test>());
163
164 if (!std::all_of (working.begin(), iter, is_even<stable_test>())) return 1;
165 if (!std::none_of(iter, working.end(), is_even<stable_test>())) return 2;
166 if (!std::is_sorted(working.begin(), iter, payload_less())) return 3;
167 if (!std::is_sorted(iter, working.end(), payload_less())) return 4;
168 if (!std::is_permutation(input.begin(), input.end(), working.begin())) return 99;
169 return 0;
170}
171
172// == nth_element ==
173// use the first element as a position into the data
174int nth_element (const uint8_t *data, size_t size)
175{
176 if (size <= 1) return 0;
177 const size_t partition_point = data[0] % size;
178 std::vector<uint8_t> working(data + 1, data + size);
179 const auto partition_iter = working.begin() + partition_point;
180 std::nth_element(working.begin(), partition_iter, working.end());
181
182// nth may be the end iterator, in this case nth_element has no effect.
183 if (partition_iter == working.end())
184 {
185 if (!std::equal(data + 1, data + size, working.begin())) return 98;
186 }
187 else
188 {
189 const uint8_t nth = *partition_iter;
190 if (!std::all_of(working.begin(), partition_iter, [=](uint8_t v) { return v <= nth; }))
191 return 1;
192 if (!std::all_of(partition_iter, working.end(), [=](uint8_t v) { return v >= nth; }))
193 return 2;
194 if (!std::is_permutation(data + 1, data + size, working.begin())) return 99;
195 }
196
197 return 0;
198}
199
200// == partial_sort ==
201// use the first element as a position into the data
202int partial_sort (const uint8_t *data, size_t size)
203{
204 if (size <= 1) return 0;
205 const size_t sort_point = data[0] % size;
206 std::vector<uint8_t> working(data + 1, data + size);
207 const auto sort_iter = working.begin() + sort_point;
208 std::partial_sort(working.begin(), sort_iter, working.end());
209
210 if (sort_iter != working.end())
211 {
212 const uint8_t nth = *std::min_element(sort_iter, working.end());
213 if (!std::all_of(working.begin(), sort_iter, [=](uint8_t v) { return v <= nth; }))
214 return 1;
215 if (!std::all_of(sort_iter, working.end(), [=](uint8_t v) { return v >= nth; }))
216 return 2;
217 }
218 if (!std::is_sorted(working.begin(), sort_iter)) return 3;
219 if (!std::is_permutation(data + 1, data + size, working.begin())) return 99;
220
221 return 0;
222}
223
Marshall Clowd84736b2017-10-12 14:48:09 +0000[diff] [blame]224
225// -- regex fuzzers
226
227static int regex_helper(const uint8_t *data, size_t size, std::regex::flag_type flag)
228{
229 if (size > 0)
230 {
231 try
232 {
233 std::string s((const char *)data, size);
234 std::regex re(s, flag);
235 return std::regex_match(s, re) ? 1 : 0;
236 }
237 catch (std::regex_error &ex) {}
238 }
239 return 0;
240}
241
242
243int regex_ECMAScript (const uint8_t *data, size_t size)
244{
245 (void) regex_helper(data, size, std::regex_constants::ECMAScript);
246 return 0;
247}
248
249int regex_POSIX (const uint8_t *data, size_t size)
250{
251 (void) regex_helper(data, size, std::regex_constants::basic);
252 return 0;
253}
254
255int regex_extended (const uint8_t *data, size_t size)
256{
257 (void) regex_helper(data, size, std::regex_constants::extended);
258 return 0;
259}
260
261int regex_awk (const uint8_t *data, size_t size)
262{
263 (void) regex_helper(data, size, std::regex_constants::awk);
264 return 0;
265}
266
267int regex_grep (const uint8_t *data, size_t size)
268{
269 (void) regex_helper(data, size, std::regex_constants::grep);
270 return 0;
271}
272
273int regex_egrep (const uint8_t *data, size_t size)
274{
275 (void) regex_helper(data, size, std::regex_constants::egrep);
276 return 0;
277}
278
Marshall Clowa97ab842017-10-23 23:19:30 +0000[diff] [blame^]279// -- heap fuzzers
280int make_heap (const uint8_t *data, size_t size)
281{
282 std::vector<uint8_t> working(data, data + size);
283 std::make_heap(working.begin(), working.end());
284
285 if (!std::is_heap(working.begin(), working.end())) return 1;
286 if (!std::is_permutation(data, data + size, working.begin())) return 99;
287 return 0;
288}
289
290int push_heap (const uint8_t *data, size_t size)
291{
292 if (size < 2) return 0;
293
294// Make a heap from the first half of the data
295 std::vector<uint8_t> working(data, data + size);
296 auto iter = working.begin() + (size / 2);
297 std::make_heap(working.begin(), iter);
298 if (!std::is_heap(working.begin(), iter)) return 1;
299
300// Now push the rest onto the heap, one at a time
301 ++iter;
302 for (; iter != working.end(); ++iter) {
303 std::push_heap(working.begin(), iter);
304 if (!std::is_heap(working.begin(), iter)) return 2;
305 }
306
307 if (!std::is_permutation(data, data + size, working.begin())) return 99;
308 return 0;
309}
310
311int pop_heap (const uint8_t *data, size_t size)
312{
313 if (size < 2) return 0;
314 std::vector<uint8_t> working(data, data + size);
315 std::make_heap(working.begin(), working.end());
316
317// Pop things off, one at a time
318 auto iter = --working.end();
319 while (iter != working.begin()) {
320 std::pop_heap(working.begin(), iter);
321 if (!std::is_heap(working.begin(), --iter)) return 2;
322 }
323
324 return 0;
325}
326
327
328// -- search fuzzers
329int search (const uint8_t *data, size_t size)
330{
331 if (size < 2) return 0;
332
333 const size_t pat_size = data[0] * (size - 1) / std::numeric_limits<uint8_t>::max();
334 assert(pat_size <= size - 1);
335 const uint8_t *pat_begin = data + 1;
336 const uint8_t *pat_end = pat_begin + pat_size;
337 const uint8_t *data_end = data + size;
338 assert(pat_end <= data_end);
339// std::cerr << "data[0] = " << size_t(data[0]) << " ";
340// std::cerr << "Pattern size = " << pat_size << "; corpus is " << size - 1 << std::endl;
341 auto it = std::search(pat_end, data_end, pat_begin, pat_end);
342 if (it != data_end) // not found
343 if (!std::equal(pat_begin, pat_end, it))
344 return 1;
345 return 0;
346}
347
348template <typename S>
349static int search_helper (const uint8_t *data, size_t size)
350{
351 if (size < 2) return 0;
352
353 const size_t pat_size = data[0] * (size - 1) / std::numeric_limits<uint8_t>::max();
354 const uint8_t *pat_begin = data + 1;
355 const uint8_t *pat_end = pat_begin + pat_size;
356 const uint8_t *data_end = data + size;
357
358 auto it = std::search(pat_end, data_end, S(pat_begin, pat_end));
359 if (it != data_end) // not found
360 if (!std::equal(pat_begin, pat_end, it))
361 return 1;
362 return 0;
363}
364
365// These are still in std::experimental
366// int search_boyer_moore (const uint8_t *data, size_t size)
367// {
368// return search_helper<std::boyer_moore_searcher<const uint8_t *>>(data, size);
369// }
370//
371// int search_boyer_moore_horspool (const uint8_t *data, size_t size)
372// {
373// return search_helper<std::boyer_moore_horspool_searcher<const uint8_t *>>(data, size);
374// }
375
Marshall Clowbaa6fb32017-10-04 22:23:03 +0000[diff] [blame]376} // namespace fuzzing