/* * Copyright 2016 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include "ProtoFuzzerMutator.h" #include <iostream> using std::cerr; using std::cout; using std::endl; using std::make_unique; using std::unordered_map; using namespace std::placeholders; namespace android { namespace vts { namespace fuzzer { ProtoFuzzerMutator::ProtoFuzzerMutator( Random &rand, unordered_map<string, TypeSpec> predefined_types, ProtoFuzzerMutatorConfig mutator_config) : rand_(rand), predefined_types_(predefined_types), mutator_config_(mutator_config) { // Default function used for mutation/random generation. Used for types for // which the notion of mutation/random generation is not defined, e.g. // TYPE_HANDLE, TYPE_HIDL_CALLBACK. VarTransformFn default_transform = [](const VariableSpecificationMessage &var_spec) { return VariableSpecificationMessage{var_spec}; }; // Initialize random_gen_fns_ and mutate_fns_ tables. random_gen_fns_[TYPE_ARRAY] = std::bind(&ProtoFuzzerMutator::ArrayRandomGen, this, _1); mutate_fns_[TYPE_ARRAY] = std::bind(&ProtoFuzzerMutator::ArrayMutate, this, _1); random_gen_fns_[TYPE_ENUM] = std::bind(&ProtoFuzzerMutator::EnumRandomGen, this, _1); mutate_fns_[TYPE_ENUM] = std::bind(&ProtoFuzzerMutator::EnumMutate, this, _1); random_gen_fns_[TYPE_HANDLE] = default_transform; mutate_fns_[TYPE_HANDLE] = default_transform; random_gen_fns_[TYPE_HIDL_CALLBACK] = default_transform; mutate_fns_[TYPE_HIDL_CALLBACK] = default_transform; random_gen_fns_[TYPE_HIDL_INTERFACE] = default_transform; mutate_fns_[TYPE_HIDL_INTERFACE] = default_transform; random_gen_fns_[TYPE_HIDL_MEMORY] = default_transform; mutate_fns_[TYPE_HIDL_MEMORY] = default_transform; // Interpret masks as enums. random_gen_fns_[TYPE_MASK] = std::bind(&ProtoFuzzerMutator::EnumRandomGen, this, _1); mutate_fns_[TYPE_MASK] = std::bind(&ProtoFuzzerMutator::EnumMutate, this, _1); random_gen_fns_[TYPE_POINTER] = default_transform; mutate_fns_[TYPE_POINTER] = default_transform; random_gen_fns_[TYPE_SCALAR] = std::bind(&ProtoFuzzerMutator::ScalarRandomGen, this, _1); mutate_fns_[TYPE_SCALAR] = std::bind(&ProtoFuzzerMutator::ScalarMutate, this, _1); random_gen_fns_[TYPE_STRING] = std::bind(&ProtoFuzzerMutator::StringRandomGen, this, _1); mutate_fns_[TYPE_STRING] = std::bind(&ProtoFuzzerMutator::StringMutate, this, _1); random_gen_fns_[TYPE_STRUCT] = std::bind(&ProtoFuzzerMutator::StructRandomGen, this, _1); mutate_fns_[TYPE_STRUCT] = std::bind(&ProtoFuzzerMutator::StructMutate, this, _1); random_gen_fns_[TYPE_UNION] = std::bind(&ProtoFuzzerMutator::UnionRandomGen, this, _1); mutate_fns_[TYPE_UNION] = std::bind(&ProtoFuzzerMutator::UnionMutate, this, _1); random_gen_fns_[TYPE_VECTOR] = std::bind(&ProtoFuzzerMutator::VectorRandomGen, this, _1); mutate_fns_[TYPE_VECTOR] = std::bind(&ProtoFuzzerMutator::VectorMutate, this, _1); } // TODO(trong): add a mutator config option which controls how an interface is // selected. const CompSpec *ProtoFuzzerMutator::RandomSelectIface(const IfaceDescTbl &tbl) { size_t rand_idx = rand_(tbl.size()); auto it = tbl.begin(); std::advance(it, rand_idx); return it->second.comp_spec_; } ExecSpec ProtoFuzzerMutator::RandomGen(const IfaceDescTbl &tbl, size_t num_calls) { cerr << "Generating a random execution." << endl; ExecSpec result{}; for (size_t i = 0; i < num_calls; ++i) { const CompSpec *comp_spec = RandomSelectIface(tbl); string iface_name = comp_spec->component_name(); const IfaceSpec &iface_spec = comp_spec->interface(); // Generate a random interface function call. FuncCall rand_call{}; rand_call.set_hidl_interface_name(iface_name); size_t num_apis = iface_spec.api_size(); size_t rand_api_idx = rand_(num_apis); FuncSpec rand_api = RandomGen(iface_spec.api(rand_api_idx)); *rand_call.mutable_api() = rand_api; *result.add_function_call() = rand_call; } return result; } void ProtoFuzzerMutator::Mutate(const IfaceDescTbl &tbl, ExecSpec *exec_spec) { // Mutate a randomly chosen function call with probability // odds_for/(odds_for + odds_against). uint64_t odds_for = mutator_config_.func_mutated_.first; uint64_t odds_against = mutator_config_.func_mutated_.second; uint64_t rand_num = rand_(odds_for + odds_against); if (rand_num < odds_for) { // Mutate a random function in execution. size_t idx = rand_(exec_spec->function_call_size()); const FuncSpec &rand_api = exec_spec->function_call(idx).api(); *exec_spec->mutable_function_call(idx)->mutable_api() = Mutate(rand_api); } else { // Generate a random function call in place of randomly chosen function in // execution. const CompSpec *comp_spec = RandomSelectIface(tbl); string iface_name = comp_spec->component_name(); const IfaceSpec &iface_spec = comp_spec->interface(); size_t func_idx = rand_(exec_spec->function_call_size()); size_t blueprint_idx = rand_(iface_spec.api_size()); FuncCall *func_call = exec_spec->mutable_function_call(func_idx); func_call->set_hidl_interface_name(iface_name); *func_call->mutable_api() = RandomGen(iface_spec.api(blueprint_idx)); } } FuncSpec ProtoFuzzerMutator::RandomGen(const FuncSpec &func_spec) { FuncSpec result{func_spec}; // We'll repopulate arg field. result.clear_arg(); result.clear_return_type_hidl(); for (const auto &var_spec : func_spec.arg()) { VarInstance rand_var_spec = RandomGen(var_spec); auto *new_var = result.add_arg(); new_var->Swap(&rand_var_spec); } return result; } FuncSpec ProtoFuzzerMutator::Mutate(const FuncSpec &func_spec) { FuncSpec result{func_spec}; size_t num_args = result.arg_size(); if (num_args > 0) { size_t rand_arg_idx = rand_(num_args); VarInstance rand_arg = Mutate(result.arg(rand_arg_idx)); result.mutable_arg(rand_arg_idx)->Swap(&rand_arg); } return result; } static VariableSpecificationMessage Transform( const VariableSpecificationMessage &var_spec, unordered_map<VariableType, VarTransformFn> &transform_fns) { auto type = var_spec.type(); auto transform_fn = transform_fns.find(type); if (transform_fn == transform_fns.end()) { cerr << "Transformation function not found for type: " << type << endl; std::abort(); } return transform_fn->second(var_spec); } VarInstance ProtoFuzzerMutator::RandomGen(const VarSpec &var_spec) { return Transform(var_spec, random_gen_fns_); } VarInstance ProtoFuzzerMutator::Mutate(const VarInstance &var_instance) { return Transform(var_instance, mutate_fns_); } const TypeSpec &ProtoFuzzerMutator::FindPredefinedType(string name) { auto type_spec = predefined_types_.find(name); if (type_spec == predefined_types_.end()) { cerr << "Predefined type not found: " << name << endl; std::abort(); } return type_spec->second; } } // namespace fuzzer } // namespace vts } // namespace android