Bug 1330237 - Call default mutators instead of patching libFuzzer r=mt
authorTim Taubert <ttaubert@mozilla.com>
Wed, 11 Jan 2017 10:42:45 +0100
changeset 13016 8cc468f87ff0836d0f1cb0babf2d564ba255fe7c
parent 13015 a92acea05009d607291da3a7af05d32b7eae9c62
child 13017 719f16bdf510a2d36988b43eef569b75ceabad95
push id1921
push userttaubert@mozilla.com
push dateWed, 11 Jan 2017 09:43:33 +0000
reviewersmt
bugs1330237
Bug 1330237 - Call default mutators instead of patching libFuzzer r=mt Differential Revision: https://nss-review.dev.mozaws.net/D141
fuzz/clone_libfuzzer.sh
fuzz/shared.h
--- a/fuzz/clone_libfuzzer.sh
+++ b/fuzz/clone_libfuzzer.sh
@@ -1,35 +1,13 @@
 #!/bin/sh
 
 d=$(dirname $0)
 $d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer e6cbbd6ba1cd57e52cb3a237974c89911b08b5d7 $d/libFuzzer
 
-# [https://llvm.org/bugs/show_bug.cgi?id=31583]
-# Libfuzzer currently disables all internal default mutators when we specify
-# a custom one. Need to file a bug to maybe have an option to disable this, or
-# make ours the default behavior.
-cat <<EOF | patch -p0 -d $d
-diff --git libFuzzer/FuzzerMutate.cpp libFuzzer/FuzzerMutate.cpp
---- libFuzzer/FuzzerMutate.cpp
-+++ libFuzzer/FuzzerMutate.cpp
-@@ -52,10 +52,9 @@
-     DefaultMutators.push_back(
-         {&MutationDispatcher::Mutate_AddWordFromTORC, "CMP"});
-
-+  Mutators = DefaultMutators;
-   if (EF->LLVMFuzzerCustomMutator)
-     Mutators.push_back({&MutationDispatcher::Mutate_Custom, "Custom"});
--  else
--    Mutators = DefaultMutators;
-
-   if (EF->LLVMFuzzerCustomCrossOver)
-     Mutators.push_back(
-EOF
-
 # [https://llvm.org/bugs/show_bug.cgi?id=31318]
 # This prevents a known buffer overrun that won't be fixed as the affected code
 # will go away in the near future. Until that is we have to patch it as we seem
 # to constantly run into it.
 cat <<EOF | patch -p0 -d $d
 diff --git libFuzzer/FuzzerLoop.cpp libFuzzer/FuzzerLoop.cpp
 --- libFuzzer/FuzzerLoop.cpp
 +++ libFuzzer/FuzzerLoop.cpp
--- a/fuzz/shared.h
+++ b/fuzz/shared.h
@@ -22,18 +22,28 @@ void QuickDERDecode(void *dst, const SEC
   SECItem data = {siBuffer, const_cast<unsigned char *>(buf),
                   static_cast<unsigned int>(len)};
 
   PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE);
   (void)SEC_QuickDERDecodeItem(&pool.arena, dst, tpl, &data);
   PORT_DestroyCheapArena(&pool);
 }
 
-#define ADD_CUSTOM_MUTATORS(...)                                             \
-  extern "C" size_t LLVMFuzzerCustomMutator(                                 \
-      uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) {       \
-    std::vector<decltype(LLVMFuzzerCustomMutator) *> mutators = __VA_ARGS__; \
-    fuzzer::Random R(Seed);                                                  \
-    auto idx = R(mutators.size());                                           \
-    return mutators.at(idx)(Data, Size, MaxSize, Seed);                      \
+size_t CustomMutate(std::vector<decltype(LLVMFuzzerCustomMutator) *> mutators,
+                    uint8_t *Data, size_t Size, size_t MaxSize,
+                    unsigned int Seed) {
+  fuzzer::Random R(Seed);
+
+  if (R.RandBool()) {
+    auto idx = R(mutators.size());
+    return mutators.at(idx)(Data, Size, MaxSize, Seed);
+  }
+
+  return LLVMFuzzerMutate(Data, Size, MaxSize);
+}
+
+#define ADD_CUSTOM_MUTATORS(...)                                       \
+  extern "C" size_t LLVMFuzzerCustomMutator(                           \
+      uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) { \
+    return CustomMutate(__VA_ARGS__, Data, Size, MaxSize, Seed);       \
   }
 
 #endif  // shared_h__