Changeset 83266 in vbox for trunk/src/VBox/Runtime

Timestamp:

Mar 11, 2020 6:38:31 PM (5 years ago)

Author:

vboxsync

Message:

Runtime/common/fuzz: Add API to specify the range in an input corpus where mutations are allowed, global and per input. Allows fuzzing certain interesting areas which might not be reached that often otherwise

File:

• trunk/src/VBox/Runtime/common/fuzz/fuzz.cpp (modified) (13 diffs)

trunk/src/VBox/Runtime/common/fuzz/fuzz.cpp

@@ -206 +206 @@
     /** Parent mutation (no reference is held), NULL means root or original data. */
     PRTFUZZMUTATION             pMutationParent;
+    /** Start offset where new mutations are allowed to start. */
+    uint64_t                    offMutStartNew;
+    /** Size of the range in bytes where mutations are allowed to happen. */
+    uint64_t                    cbMutNew;
     /** Mutation level. */
     uint32_t                    iLvl;
@@ -302 +306 @@
     /** Total number of bytes of memory currently allocated in total for this context. */
     volatile size_t             cbMemTotal;
+    /** Start offset in the input where a mutation is allowed to happen. */
+    uint64_t                    offMutStart;
+    /** size of the range where a mutation can happen. */
+    uint64_t                    cbMutRange;
 } RTFUZZCTXINT;
 
@@ -784 +792 @@
 
 /**
+ * Creates a new mutation capable of holding the additional number of bytes - extended version.
+ *
+ * @returns Pointer to the newly created mutation or NULL if out of memory.
+ * @param   pThis               The fuzzer context instance.
+ * @param   offMutation         The starting offset for the mutation.
+ * @param   pMutationParent     The parent mutation, can be NULL.
+ * @param   offMuStartNew       Offset where descendants of the created mutation can start to mutate.
+ * @param   cbMutNew            Range in bytes where descendants of the created mutation can mutate.c
+ * @param   cbAdditional        Additional number of bytes to allocate after the core structure.
+ * @param   ppvMutation         Where to store the pointer to the mutation dependent data on success.
+ */
+static PRTFUZZMUTATION rtFuzzMutationCreateEx(PRTFUZZCTXINT pThis, uint64_t offMutation, PRTFUZZMUTATION pMutationParent,
+                                              uint64_t offMutStartNew, uint64_t cbMutNew, size_t cbAdditional, void **ppvMutation)
+{
+    PRTFUZZMUTATION pMutation = (PRTFUZZMUTATION)rtFuzzCtxMemoryAlloc(pThis, sizeof(RTFUZZMUTATION) + cbAdditional);
+    if (RT_LIKELY(pMutation))
+    {
+        pMutation->u32Magic        = 0; /** @todo */
+        pMutation->pFuzzer         = pThis;
+        pMutation->cRefs           = 1;
+        pMutation->iLvl            = 0;
+        pMutation->offMutation     = offMutation;
+        pMutation->pMutationParent = pMutationParent;
+        pMutation->offMutStartNew  = offMutStartNew;
+        pMutation->cbMutNew        = cbMutNew;
+        pMutation->cbMutation      = cbAdditional;
+        pMutation->fInTree         = false;
+        pMutation->fCached         = false;
+        pMutation->pvInput         = NULL;
+        pMutation->cbInput         = 0;
+        pMutation->cbAlloc         = 0;
+
+        if (pMutationParent)
+            pMutation->iLvl = pMutationParent->iLvl + 1;
+        if (ppvMutation)
+            *ppvMutation = &pMutation->abMutation[0];
+    }
+
+    return pMutation;
+}
+
+
+/**
  * Creates a new mutation capable of holding the additional number of bytes.
  *
@@ -793 +844 @@
  * @param   ppvMutation         Where to store the pointer to the mutation dependent data on success.
  */
-static PRTFUZZMUTATION rtFuzzMutationCreate(PRTFUZZCTXINT pThis, uint64_t offMutation, PRTFUZZMUTATION pMutationParent,
-                                            size_t cbAdditional, void **ppvMutation)
-{
-    PRTFUZZMUTATION pMutation = (PRTFUZZMUTATION)rtFuzzCtxMemoryAlloc(pThis, sizeof(RTFUZZMUTATION) + cbAdditional);
-    if (RT_LIKELY(pMutation))
-    {
-        pMutation->u32Magic        = 0; /** @todo */
-        pMutation->pFuzzer         = pThis;
-        pMutation->cRefs           = 1;
-        pMutation->iLvl            = 0;
-        pMutation->offMutation     = offMutation;
-        pMutation->pMutationParent = pMutationParent;
-        pMutation->cbMutation      = cbAdditional;
-        pMutation->fInTree         = false;
-        pMutation->fCached         = false;
-        pMutation->pvInput         = NULL;
-        pMutation->cbInput         = 0;
-        pMutation->cbAlloc         = 0;
-
-        if (pMutationParent)
-            pMutation->iLvl = pMutationParent->iLvl + 1;
-        if (ppvMutation)
-            *ppvMutation = &pMutation->abMutation[0];
-    }
-
-    return pMutation;
+DECLINLINE(PRTFUZZMUTATION) rtFuzzMutationCreate(PRTFUZZCTXINT pThis, uint64_t offMutation, PRTFUZZMUTATION pMutationParent,
+                                                 size_t cbAdditional, void **ppvMutation)
+{
+    uint64_t offMutNew = pMutationParent ? pMutationParent->offMutStartNew : pThis->offMutStart;
+    uint64_t cbMutNew = pMutationParent ? pMutationParent->cbMutNew : pThis->cbMutRange;
+
+    return rtFuzzMutationCreateEx(pThis, offMutation, pMutationParent, offMutNew, cbMutNew, cbAdditional, ppvMutation);
 }
 
@@ -1422 +1454 @@
         pThis->cbMutationsAllocMax = _1G;
         pThis->cbMemTotal          = 0;
+        pThis->offMutStart         = 0;
+        pThis->cbMutRange          = UINT64_MAX;
         RTListInit(&pThis->LstMutationsAlloc);
 
@@ -1788 +1822 @@
     AssertReturn(cbInput, VERR_INVALID_POINTER);
 
+    return RTFuzzCtxCorpusInputAddEx(hFuzzCtx, pvInput, cbInput, pThis->offMutStart, pThis->cbMutRange);
+}
+
+
+RTDECL(int) RTFuzzCtxCorpusInputAddEx(RTFUZZCTX hFuzzCtx, const void *pvInput, size_t cbInput,
+                                      uint64_t offMutStart, uint64_t cbMutRange)
+{
+    PRTFUZZCTXINT pThis = hFuzzCtx;
+    AssertPtrReturn(pThis, VERR_INVALID_POINTER);
+    AssertPtrReturn(pvInput, VERR_INVALID_POINTER);
+    AssertReturn(cbInput, VERR_INVALID_POINTER);
+
     int rc = VINF_SUCCESS;
     void *pvCorpus = NULL;
-    PRTFUZZMUTATION pMutation = rtFuzzMutationCreate(pThis, 0, NULL, cbInput, &pvCorpus);
+    PRTFUZZMUTATION pMutation = rtFuzzMutationCreateEx(pThis, 0, NULL, offMutStart, cbMutRange,
+                                                       cbInput, &pvCorpus);
     if (RT_LIKELY(pMutation))
     {
@@ -1814 +1861 @@
     AssertPtrReturn(pszFilename, VERR_INVALID_POINTER);
 
+    return RTFuzzCtxCorpusInputAddFromFileEx(hFuzzCtx, pszFilename, pThis->offMutStart, pThis->cbMutRange);
+}
+
+
+RTDECL(int) RTFuzzCtxCorpusInputAddFromFileEx(RTFUZZCTX hFuzzCtx, const char *pszFilename,
+                                              uint64_t offMutStart, uint64_t cbMutRange)
+{
+    PRTFUZZCTXINT pThis = hFuzzCtx;
+    AssertPtrReturn(pThis, VERR_INVALID_POINTER);
+    AssertPtrReturn(pszFilename, VERR_INVALID_POINTER);
+
     void *pv = NULL;
     size_t cb = 0;
@@ -1819 +1877 @@
     if (RT_SUCCESS(rc))
     {
-        rc = RTFuzzCtxCorpusInputAdd(hFuzzCtx, pv, cb);
+        rc = RTFuzzCtxCorpusInputAddEx(hFuzzCtx, pv, cb, offMutStart, cbMutRange);
         RTFileReadAllFree(pv, cb);
     }
@@ -1828 +1886 @@
 
 RTDECL(int) RTFuzzCtxCorpusInputAddFromVfsFile(RTFUZZCTX hFuzzCtx, RTVFSFILE hVfsFile)
+{
+    PRTFUZZCTXINT pThis = hFuzzCtx;
+    AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
+    AssertReturn(hVfsFile != NIL_RTVFSFILE, VERR_INVALID_HANDLE);
+
+    return RTFuzzCtxCorpusInputAddFromVfsFileEx(hFuzzCtx, hVfsFile, pThis->offMutStart, pThis->cbMutRange);
+}
+
+
+RTDECL(int) RTFuzzCtxCorpusInputAddFromVfsFileEx(RTFUZZCTX hFuzzCtx, RTVFSFILE hVfsFile,
+                                                 uint64_t offMutStart, uint64_t cbMutRange)
 {
     PRTFUZZCTXINT pThis = hFuzzCtx;
@@ -1838 +1907 @@
     if (RT_SUCCESS(rc))
     {
-        PRTFUZZMUTATION pMutation = rtFuzzMutationCreate(pThis, 0, NULL, cbFile, &pvCorpus);
+        PRTFUZZMUTATION pMutation = rtFuzzMutationCreateEx(pThis, 0, NULL, offMutStart, cbMutRange,
+                                                           cbFile, &pvCorpus);
         if (RT_LIKELY(pMutation))
         {
@@ -1851 +1921 @@
                 rtFuzzMutationDestroy(pMutation);
         }
+        else
+            rc = VERR_NO_MEMORY;
     }
 
@@ -1967 +2039 @@
 
 
+RTDECL(int) RTFuzzCtxCfgSetMutationRange(RTFUZZCTX hFuzzCtx, uint64_t offStart, uint64_t cbRange)
+{
+    PRTFUZZCTXINT pThis = hFuzzCtx;
+    AssertPtrReturn(pThis, VERR_INVALID_POINTER);
+
+    pThis->offMutStart = offStart;
+    pThis->cbMutRange  = cbRange;
+    return VINF_SUCCESS;
+}
+
+
 RTDECL(int) RTFuzzCtxReseed(RTFUZZCTX hFuzzCtx, uint64_t uSeed)
 {
@@ -1994 +2077 @@
         uint64_t offStart = 0;
         if (!(pMutator->fFlags & RTFUZZMUTATOR_F_END_OF_BUF))
-            offStart = RTRandAdvU64Ex(pThis->hRand, 0, pMutationParent->cbInput - 1);
+        {
+            uint64_t offMax = pMutationParent->cbInput - 1;
+            if (   pMutation->cbMutNew != UINT64_MAX
+                && pMutation->offMutStartNew + pMutation->cbMutNew < offMax)
+                offMax = pMutation->offMutStartNew + pMutation->cbMutNew - 1;
+
+            offStart = RTRandAdvU64Ex(pThis->hRand, pMutation->offMutStartNew, offMax);
+        }
         else
             offStart = pMutationParent->cbInput;