Coverage Report

Created: 2018-09-25 14:53

/src/mozilla-central/tools/fuzzing/shmem/SharedMemoryFuzzer.cpp
Line
Count
Source (jump to first uncovered line)
1
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
3
/* This Source Code Form is subject to the terms of the Mozilla Public
4
 * License, v. 2.0. If a copy of the MPL was not distributed with this
5
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6
7
#include "FuzzingMutate.h"
8
#include "FuzzingTraits.h"
9
#include "nsDebug.h"
10
#include "prenv.h"
11
#include "SharedMemoryFuzzer.h"
12
13
0
#define SHMEM_FUZZER_DEFAULT_MUTATION_PROBABILITY 2
14
0
#define SHMEM_FUZZER_DEFAULT_MUTATION_FACTOR 500
15
#define SHMEM_FUZZER_LOG(fmt, args...)                       \
16
0
 if (SharedMemoryFuzzer::IsLoggingEnabled()) {               \
17
0
   printf_stderr("[SharedMemoryFuzzer] " fmt "\n", ## args); \
18
0
 }
19
20
namespace mozilla {
21
namespace ipc {
22
23
using namespace fuzzing;
24
25
/* static */
26
bool
27
SharedMemoryFuzzer::IsLoggingEnabled()
28
0
{
29
0
  static bool sInitialized = false;
30
0
  static bool sIsLoggingEnabled = false;
31
0
32
0
  if (!sInitialized) {
33
0
    sIsLoggingEnabled = !!PR_GetEnv("SHMEM_FUZZER_ENABLE_LOGGING");
34
0
    sInitialized = true;
35
0
  }
36
0
  return sIsLoggingEnabled;
37
0
}
38
39
/* static */
40
bool
41
SharedMemoryFuzzer::IsEnabled()
42
0
{
43
0
  static bool sInitialized = false;
44
0
  static bool sIsFuzzerEnabled = false;
45
0
46
0
  if (!sInitialized) {
47
0
    sIsFuzzerEnabled = !!PR_GetEnv("SHMEM_FUZZER_ENABLE");
48
0
  }
49
0
  return sIsFuzzerEnabled;
50
0
}
51
52
/* static */
53
uint64_t
54
SharedMemoryFuzzer::MutationProbability()
55
0
{
56
0
  static uint64_t sPropValue = SHMEM_FUZZER_DEFAULT_MUTATION_PROBABILITY;
57
0
  static bool sInitialized = false;
58
0
59
0
  if (sInitialized) {
60
0
    return sPropValue;
61
0
  }
62
0
  sInitialized = true;
63
0
64
0
  const char* probability = PR_GetEnv("SHMEM_FUZZER_MUTATION_PROBABILITY");
65
0
  if (probability) {
66
0
    long n = std::strtol(probability, nullptr, 10);
67
0
    if (n != 0) {
68
0
      sPropValue = n;
69
0
      return sPropValue;
70
0
    }
71
0
  }
72
0
  return sPropValue;
73
0
}
74
75
/* static */
76
uint64_t
77
SharedMemoryFuzzer::MutationFactor()
78
0
{
79
0
  static uint64_t sPropValue = SHMEM_FUZZER_DEFAULT_MUTATION_FACTOR;
80
0
  static bool sInitialized = false;
81
0
82
0
  if (sInitialized) {
83
0
    return sPropValue;
84
0
  }
85
0
  sInitialized = true;
86
0
87
0
  const char* factor = PR_GetEnv("SHMEM_FUZZER_MUTATION_FACTOR");
88
0
  if (factor) {
89
0
    long n = strtol(factor, nullptr, 10);
90
0
    if (n != 0) {
91
0
      sPropValue = n;
92
0
      return sPropValue;
93
0
    }
94
0
  }
95
0
  return sPropValue;
96
0
}
97
98
/* static */
99
void*
100
SharedMemoryFuzzer::MutateSharedMemory(void* aMemory, size_t aSize)
101
0
{
102
0
  if (!IsEnabled()) {
103
0
    return aMemory;
104
0
  }
105
0
106
0
  if (aSize == 0) {
107
0
    /* Shmem opened from foreign handle. */
108
0
    SHMEM_FUZZER_LOG("shmem is of size 0.");
109
0
    return aMemory;
110
0
  }
111
0
112
0
  if (!aMemory) {
113
0
    /* Memory space is not mapped. */
114
0
    SHMEM_FUZZER_LOG("shmem memory space is not mapped.");
115
0
    return aMemory;
116
0
  }
117
0
118
0
  // The likelihood when a value gets fuzzed of this object.
119
0
  if (!FuzzingTraits::Sometimes(MutationProbability())) {
120
0
    return aMemory;
121
0
  }
122
0
123
0
  const size_t max = FuzzingTraits::Frequency(aSize, MutationFactor());
124
0
  SHMEM_FUZZER_LOG("shmem of size: %zu / mutations: %zu", aSize, max);
125
0
  for (size_t i = 0; i < max; i++) {
126
0
    FuzzingMutate::ChangeBit((uint8_t*)aMemory, aSize);
127
0
  }
128
0
  return aMemory;
129
0
}
130
131
} // namespace ipc
132
} // namespace mozilla