// Copyright 2016 Google Inc. All rights reserved.
|
//
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
// you may not use this file except in compliance with the License.
|
// You may obtain a copy of the License at
|
//
|
// http://www.apache.org/licenses/LICENSE-2.0
|
//
|
// Unless required by applicable law or agreed to in writing, software
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
// See the License for the specific language governing permissions and
|
// limitations under the License.
|
|
#include "src/mutator.h"
|
|
#include <algorithm>
|
#include <functional>
|
#include <map>
|
#include <random>
|
#include <string>
|
|
#include "src/field_instance.h"
|
#include "src/utf8_fix.h"
|
#include "src/weighted_reservoir_sampler.h"
|
|
namespace protobuf_mutator {
|
|
using protobuf::Descriptor;
|
using protobuf::FieldDescriptor;
|
using protobuf::FileDescriptor;
|
using protobuf::Message;
|
using protobuf::OneofDescriptor;
|
using protobuf::Reflection;
|
using protobuf::util::MessageDifferencer;
|
using std::placeholders::_1;
|
|
namespace {
|
|
const int kMaxInitializeDepth = 200;
|
const uint64_t kDefaultMutateWeight = 1000000;
|
|
enum class Mutation {
|
None,
|
Add, // Adds new field with default value.
|
Mutate, // Mutates field contents.
|
Delete, // Deletes field.
|
Copy, // Copy values copied from another field.
|
|
// TODO(vitalybuka):
|
// Clone, // Adds new field with value copied from another field.
|
};
|
|
// Return random integer from [0, count)
|
size_t GetRandomIndex(RandomEngine* random, size_t count) {
|
assert(count > 0);
|
if (count == 1) return 0;
|
return std::uniform_int_distribution<size_t>(0, count - 1)(*random);
|
}
|
|
// Flips random bit in the buffer.
|
void FlipBit(size_t size, uint8_t* bytes, RandomEngine* random) {
|
size_t bit = GetRandomIndex(random, size * 8);
|
bytes[bit / 8] ^= (1u << (bit % 8));
|
}
|
|
// Flips random bit in the value.
|
template <class T>
|
T FlipBit(T value, RandomEngine* random) {
|
FlipBit(sizeof(value), reinterpret_cast<uint8_t*>(&value), random);
|
return value;
|
}
|
|
// Return true with probability about 1-of-n.
|
bool GetRandomBool(RandomEngine* random, size_t n = 2) {
|
return GetRandomIndex(random, n) == 0;
|
}
|
|
bool IsProto3SimpleField(const FieldDescriptor& field) {
|
assert(field.file()->syntax() == FileDescriptor::SYNTAX_PROTO3 ||
|
field.file()->syntax() == FileDescriptor::SYNTAX_PROTO2);
|
return field.file()->syntax() == FileDescriptor::SYNTAX_PROTO3 &&
|
field.cpp_type() != FieldDescriptor::CPPTYPE_MESSAGE &&
|
!field.containing_oneof() && !field.is_repeated();
|
}
|
|
struct CreateDefaultField : public FieldFunction<CreateDefaultField> {
|
template <class T>
|
void ForType(const FieldInstance& field) const {
|
T value;
|
field.GetDefault(&value);
|
field.Create(value);
|
}
|
};
|
|
struct DeleteField : public FieldFunction<DeleteField> {
|
template <class T>
|
void ForType(const FieldInstance& field) const {
|
field.Delete();
|
}
|
};
|
|
struct CopyField : public FieldFunction<CopyField> {
|
template <class T>
|
void ForType(const ConstFieldInstance& source,
|
const FieldInstance& field) const {
|
T value;
|
source.Load(&value);
|
field.Store(value);
|
}
|
};
|
|
struct AppendField : public FieldFunction<AppendField> {
|
template <class T>
|
void ForType(const ConstFieldInstance& source,
|
const FieldInstance& field) const {
|
T value;
|
source.Load(&value);
|
field.Create(value);
|
}
|
};
|
|
class IsEqualValueField : public FieldFunction<IsEqualValueField, bool> {
|
public:
|
template <class T>
|
bool ForType(const ConstFieldInstance& a, const ConstFieldInstance& b) const {
|
T aa;
|
a.Load(&aa);
|
T bb;
|
b.Load(&bb);
|
return IsEqual(aa, bb);
|
}
|
|
private:
|
bool IsEqual(const ConstFieldInstance::Enum& a,
|
const ConstFieldInstance::Enum& b) const {
|
assert(a.count == b.count);
|
return a.index == b.index;
|
}
|
|
bool IsEqual(const std::unique_ptr<protobuf::Message>& a,
|
const std::unique_ptr<protobuf::Message>& b) const {
|
return MessageDifferencer::Equals(*a, *b);
|
}
|
|
template <class T>
|
bool IsEqual(const T& a, const T& b) const {
|
return a == b;
|
}
|
};
|
|
// Selects random field and mutation from the given proto message.
|
class MutationSampler {
|
public:
|
MutationSampler(bool keep_initialized, RandomEngine* random, Message* message)
|
: keep_initialized_(keep_initialized), random_(random), sampler_(random) {
|
Sample(message);
|
assert(mutation() != Mutation::None ||
|
message->GetDescriptor()->field_count() == 0);
|
}
|
|
// Returns selected field.
|
const FieldInstance& field() const { return sampler_.selected().field; }
|
|
// Returns selected mutation.
|
Mutation mutation() const { return sampler_.selected().mutation; }
|
|
private:
|
void Sample(Message* message) {
|
const Descriptor* descriptor = message->GetDescriptor();
|
const Reflection* reflection = message->GetReflection();
|
|
int field_count = descriptor->field_count();
|
for (int i = 0; i < field_count; ++i) {
|
const FieldDescriptor* field = descriptor->field(i);
|
if (const OneofDescriptor* oneof = field->containing_oneof()) {
|
// Handle entire oneof group on the first field.
|
if (field->index_in_oneof() == 0) {
|
assert(oneof->field_count());
|
const FieldDescriptor* current_field =
|
reflection->GetOneofFieldDescriptor(*message, oneof);
|
for (;;) {
|
const FieldDescriptor* add_field =
|
oneof->field(GetRandomIndex(random_, oneof->field_count()));
|
if (add_field != current_field) {
|
sampler_.Try(kDefaultMutateWeight,
|
{{message, add_field}, Mutation::Add});
|
break;
|
}
|
if (oneof->field_count() < 2) break;
|
}
|
if (current_field) {
|
if (current_field->cpp_type() != FieldDescriptor::CPPTYPE_MESSAGE) {
|
sampler_.Try(kDefaultMutateWeight,
|
{{message, current_field}, Mutation::Mutate});
|
}
|
sampler_.Try(kDefaultMutateWeight,
|
{{message, current_field}, Mutation::Delete});
|
sampler_.Try(kDefaultMutateWeight,
|
{{message, current_field}, Mutation::Copy});
|
}
|
}
|
} else {
|
if (field->is_repeated()) {
|
int field_size = reflection->FieldSize(*message, field);
|
sampler_.Try(
|
kDefaultMutateWeight,
|
{{message, field, GetRandomIndex(random_, field_size + 1)},
|
Mutation::Add});
|
|
if (field_size) {
|
size_t random_index = GetRandomIndex(random_, field_size);
|
if (field->cpp_type() != FieldDescriptor::CPPTYPE_MESSAGE) {
|
sampler_.Try(kDefaultMutateWeight,
|
{{message, field, random_index}, Mutation::Mutate});
|
}
|
sampler_.Try(kDefaultMutateWeight,
|
{{message, field, random_index}, Mutation::Delete});
|
sampler_.Try(kDefaultMutateWeight,
|
{{message, field, random_index}, Mutation::Copy});
|
}
|
} else {
|
if (reflection->HasField(*message, field) ||
|
IsProto3SimpleField(*field)) {
|
if (field->cpp_type() != FieldDescriptor::CPPTYPE_MESSAGE)
|
sampler_.Try(kDefaultMutateWeight,
|
{{message, field}, Mutation::Mutate});
|
if (!IsProto3SimpleField(*field) &&
|
(!field->is_required() || !keep_initialized_)) {
|
sampler_.Try(kDefaultMutateWeight,
|
{{message, field}, Mutation::Delete});
|
}
|
sampler_.Try(kDefaultMutateWeight,
|
{{message, field}, Mutation::Copy});
|
} else {
|
sampler_.Try(kDefaultMutateWeight,
|
{{message, field}, Mutation::Add});
|
}
|
}
|
}
|
|
if (field->cpp_type() == FieldDescriptor::CPPTYPE_MESSAGE) {
|
if (field->is_repeated()) {
|
const int field_size = reflection->FieldSize(*message, field);
|
for (int j = 0; j < field_size; ++j)
|
Sample(reflection->MutableRepeatedMessage(message, field, j));
|
} else if (reflection->HasField(*message, field)) {
|
Sample(reflection->MutableMessage(message, field));
|
}
|
}
|
}
|
}
|
|
bool keep_initialized_ = false;
|
|
RandomEngine* random_;
|
|
struct Result {
|
Result() = default;
|
Result(const FieldInstance& f, Mutation m) : field(f), mutation(m) {}
|
|
FieldInstance field;
|
Mutation mutation = Mutation::None;
|
};
|
WeightedReservoirSampler<Result, RandomEngine> sampler_;
|
};
|
|
// Selects random field of compatible type to use for clone mutations.
|
class DataSourceSampler {
|
public:
|
DataSourceSampler(const ConstFieldInstance& match, RandomEngine* random,
|
Message* message)
|
: match_(match), random_(random), sampler_(random) {
|
Sample(message);
|
}
|
|
// Returns selected field.
|
const ConstFieldInstance& field() const {
|
assert(!IsEmpty());
|
return sampler_.selected();
|
}
|
|
bool IsEmpty() const { return sampler_.IsEmpty(); }
|
|
private:
|
void Sample(Message* message) {
|
const Descriptor* descriptor = message->GetDescriptor();
|
const Reflection* reflection = message->GetReflection();
|
|
int field_count = descriptor->field_count();
|
for (int i = 0; i < field_count; ++i) {
|
const FieldDescriptor* field = descriptor->field(i);
|
if (field->cpp_type() == FieldDescriptor::CPPTYPE_MESSAGE) {
|
if (field->is_repeated()) {
|
const int field_size = reflection->FieldSize(*message, field);
|
for (int j = 0; j < field_size; ++j) {
|
Sample(reflection->MutableRepeatedMessage(message, field, j));
|
}
|
} else if (reflection->HasField(*message, field)) {
|
Sample(reflection->MutableMessage(message, field));
|
}
|
}
|
|
if (field->cpp_type() != match_.cpp_type()) continue;
|
if (match_.cpp_type() == FieldDescriptor::CPPTYPE_ENUM) {
|
if (field->enum_type() != match_.enum_type()) continue;
|
} else if (match_.cpp_type() == FieldDescriptor::CPPTYPE_MESSAGE) {
|
if (field->message_type() != match_.message_type()) continue;
|
}
|
|
if (field->is_repeated()) {
|
if (int field_size = reflection->FieldSize(*message, field)) {
|
ConstFieldInstance source(message, field,
|
GetRandomIndex(random_, field_size));
|
if (match_.EnforceUtf8() && !source.EnforceUtf8()) continue;
|
if (!IsEqualValueField()(match_, source))
|
sampler_.Try(field_size, source);
|
}
|
} else {
|
if (reflection->HasField(*message, field)) {
|
ConstFieldInstance source(message, field);
|
if (match_.EnforceUtf8() && !source.EnforceUtf8()) continue;
|
if (!IsEqualValueField()(match_, source)) sampler_.Try(1, source);
|
}
|
}
|
}
|
}
|
|
ConstFieldInstance match_;
|
RandomEngine* random_;
|
|
WeightedReservoirSampler<ConstFieldInstance, RandomEngine> sampler_;
|
};
|
|
} // namespace
|
|
class FieldMutator {
|
public:
|
FieldMutator(size_t size_increase_hint, bool enforce_changes,
|
bool enforce_utf8_strings, Mutator* mutator)
|
: size_increase_hint_(size_increase_hint),
|
enforce_changes_(enforce_changes),
|
enforce_utf8_strings_(enforce_utf8_strings),
|
mutator_(mutator) {}
|
|
void Mutate(int32_t* value) const {
|
RepeatMutate(value, std::bind(&Mutator::MutateInt32, mutator_, _1));
|
}
|
|
void Mutate(int64_t* value) const {
|
RepeatMutate(value, std::bind(&Mutator::MutateInt64, mutator_, _1));
|
}
|
|
void Mutate(uint32_t* value) const {
|
RepeatMutate(value, std::bind(&Mutator::MutateUInt32, mutator_, _1));
|
}
|
|
void Mutate(uint64_t* value) const {
|
RepeatMutate(value, std::bind(&Mutator::MutateUInt64, mutator_, _1));
|
}
|
|
void Mutate(float* value) const {
|
RepeatMutate(value, std::bind(&Mutator::MutateFloat, mutator_, _1));
|
}
|
|
void Mutate(double* value) const {
|
RepeatMutate(value, std::bind(&Mutator::MutateDouble, mutator_, _1));
|
}
|
|
void Mutate(bool* value) const {
|
RepeatMutate(value, std::bind(&Mutator::MutateBool, mutator_, _1), 2);
|
}
|
|
void Mutate(FieldInstance::Enum* value) const {
|
RepeatMutate(&value->index,
|
std::bind(&Mutator::MutateEnum, mutator_, _1, value->count),
|
std::max<size_t>(value->count, 1));
|
assert(value->index < value->count);
|
}
|
|
void Mutate(std::string* value) const {
|
if (enforce_utf8_strings_) {
|
RepeatMutate(value, std::bind(&Mutator::MutateUtf8String, mutator_, _1,
|
size_increase_hint_));
|
} else {
|
RepeatMutate(value, std::bind(&Mutator::MutateString, mutator_, _1,
|
size_increase_hint_));
|
}
|
}
|
|
void Mutate(std::unique_ptr<Message>* message) const {
|
assert(!enforce_changes_);
|
assert(*message);
|
if (GetRandomBool(mutator_->random(), 100)) return;
|
mutator_->Mutate(message->get(), size_increase_hint_);
|
}
|
|
private:
|
template <class T, class F>
|
void RepeatMutate(T* value, F mutate,
|
size_t unchanged_one_out_of = 100) const {
|
if (!enforce_changes_ &&
|
GetRandomBool(mutator_->random(), unchanged_one_out_of)) {
|
return;
|
}
|
T tmp = *value;
|
for (int i = 0; i < 10; ++i) {
|
*value = mutate(*value);
|
if (!enforce_changes_ || *value != tmp) return;
|
}
|
}
|
|
size_t size_increase_hint_;
|
size_t enforce_changes_;
|
bool enforce_utf8_strings_;
|
Mutator* mutator_;
|
};
|
|
namespace {
|
|
struct MutateField : public FieldFunction<MutateField> {
|
template <class T>
|
void ForType(const FieldInstance& field, size_t size_increase_hint,
|
Mutator* mutator) const {
|
T value;
|
field.Load(&value);
|
FieldMutator(size_increase_hint, true, field.EnforceUtf8(), mutator)
|
.Mutate(&value);
|
field.Store(value);
|
}
|
};
|
|
struct CreateField : public FieldFunction<CreateField> {
|
public:
|
template <class T>
|
void ForType(const FieldInstance& field, size_t size_increase_hint,
|
Mutator* mutator) const {
|
T value;
|
field.GetDefault(&value);
|
FieldMutator field_mutator(size_increase_hint,
|
false /* defaults could be useful */,
|
field.EnforceUtf8(), mutator);
|
field_mutator.Mutate(&value);
|
field.Create(value);
|
}
|
};
|
|
} // namespace
|
|
Mutator::Mutator(RandomEngine* random) : random_(random) {}
|
|
void Mutator::Mutate(Message* message, size_t size_increase_hint) {
|
bool repeat;
|
do {
|
repeat = false;
|
MutationSampler mutation(keep_initialized_, random_, message);
|
switch (mutation.mutation()) {
|
case Mutation::None:
|
break;
|
case Mutation::Add:
|
CreateField()(mutation.field(), size_increase_hint / 2, this);
|
break;
|
case Mutation::Mutate:
|
MutateField()(mutation.field(), size_increase_hint / 2, this);
|
break;
|
case Mutation::Delete:
|
DeleteField()(mutation.field());
|
break;
|
case Mutation::Copy: {
|
DataSourceSampler source(mutation.field(), random_, message);
|
if (source.IsEmpty()) {
|
repeat = true;
|
break;
|
}
|
CopyField()(source.field(), mutation.field());
|
break;
|
}
|
default:
|
assert(false && "unexpected mutation");
|
}
|
} while (repeat);
|
|
InitializeAndTrim(message, kMaxInitializeDepth);
|
assert(!keep_initialized_ || message->IsInitialized());
|
}
|
|
void Mutator::CrossOver(const protobuf::Message& message1,
|
protobuf::Message* message2) {
|
// CrossOver can produce result which still equals to inputs. So we backup
|
// message2 to later comparison. message1 is already constant.
|
std::unique_ptr<protobuf::Message> message2_copy(message2->New());
|
message2_copy->CopyFrom(*message2);
|
|
CrossOverImpl(message1, message2);
|
|
InitializeAndTrim(message2, kMaxInitializeDepth);
|
assert(!keep_initialized_ || message2->IsInitialized());
|
|
// Can't call mutate from crossover because of a bug in libFuzzer.
|
return;
|
// if (MessageDifferencer::Equals(*message2_copy, *message2) ||
|
// MessageDifferencer::Equals(message1, *message2)) {
|
// Mutate(message2, 0);
|
// }
|
}
|
|
void Mutator::CrossOverImpl(const protobuf::Message& message1,
|
protobuf::Message* message2) {
|
const Descriptor* descriptor = message2->GetDescriptor();
|
const Reflection* reflection = message2->GetReflection();
|
assert(message1.GetDescriptor() == descriptor);
|
assert(message1.GetReflection() == reflection);
|
|
for (int i = 0; i < descriptor->field_count(); ++i) {
|
const FieldDescriptor* field = descriptor->field(i);
|
|
if (field->is_repeated()) {
|
const int field_size1 = reflection->FieldSize(message1, field);
|
int field_size2 = reflection->FieldSize(*message2, field);
|
for (int j = 0; j < field_size1; ++j) {
|
ConstFieldInstance source(&message1, field, j);
|
FieldInstance destination(message2, field, field_size2++);
|
AppendField()(source, destination);
|
}
|
|
assert(field_size2 == reflection->FieldSize(*message2, field));
|
|
// Shuffle
|
for (int j = 0; j < field_size2; ++j) {
|
if (int k = GetRandomIndex(random_, field_size2 - j)) {
|
reflection->SwapElements(message2, field, j, j + k);
|
}
|
}
|
|
int keep = GetRandomIndex(random_, field_size2 + 1);
|
|
if (field->cpp_type() == FieldDescriptor::CPPTYPE_MESSAGE) {
|
int remove = field_size2 - keep;
|
// Cross some message to keep with messages to remove.
|
int cross = GetRandomIndex(random_, std::min(keep, remove) + 1);
|
for (int j = 0; j < cross; ++j) {
|
int k = GetRandomIndex(random_, keep);
|
int r = keep + GetRandomIndex(random_, remove);
|
assert(k != r);
|
CrossOverImpl(reflection->GetRepeatedMessage(*message2, field, r),
|
reflection->MutableRepeatedMessage(message2, field, k));
|
}
|
}
|
|
for (int j = keep; j < field_size2; ++j)
|
reflection->RemoveLast(message2, field);
|
assert(keep == reflection->FieldSize(*message2, field));
|
|
} else if (field->cpp_type() == FieldDescriptor::CPPTYPE_MESSAGE) {
|
if (!reflection->HasField(message1, field)) {
|
if (GetRandomBool(random_))
|
DeleteField()(FieldInstance(message2, field));
|
} else if (!reflection->HasField(*message2, field)) {
|
if (GetRandomBool(random_)) {
|
ConstFieldInstance source(&message1, field);
|
CopyField()(source, FieldInstance(message2, field));
|
}
|
} else {
|
CrossOverImpl(reflection->GetMessage(message1, field),
|
reflection->MutableMessage(message2, field));
|
}
|
} else {
|
if (GetRandomBool(random_)) {
|
if (reflection->HasField(message1, field)) {
|
ConstFieldInstance source(&message1, field);
|
CopyField()(source, FieldInstance(message2, field));
|
} else {
|
DeleteField()(FieldInstance(message2, field));
|
}
|
}
|
}
|
}
|
}
|
|
void Mutator::InitializeAndTrim(Message* message, int max_depth) {
|
const Descriptor* descriptor = message->GetDescriptor();
|
const Reflection* reflection = message->GetReflection();
|
for (int i = 0; i < descriptor->field_count(); ++i) {
|
const FieldDescriptor* field = descriptor->field(i);
|
if (keep_initialized_ && field->is_required() &&
|
!reflection->HasField(*message, field))
|
CreateDefaultField()(FieldInstance(message, field));
|
|
if (field->cpp_type() == FieldDescriptor::CPPTYPE_MESSAGE) {
|
if (max_depth <= 0 && !field->is_required()) {
|
// Clear deep optional fields to avoid stack overflow.
|
reflection->ClearField(message, field);
|
if (field->is_repeated())
|
assert(!reflection->FieldSize(*message, field));
|
else
|
assert(!reflection->HasField(*message, field));
|
continue;
|
}
|
|
if (field->is_repeated()) {
|
const int field_size = reflection->FieldSize(*message, field);
|
for (int j = 0; j < field_size; ++j) {
|
Message* nested_message =
|
reflection->MutableRepeatedMessage(message, field, j);
|
InitializeAndTrim(nested_message, max_depth - 1);
|
}
|
} else if (reflection->HasField(*message, field)) {
|
Message* nested_message = reflection->MutableMessage(message, field);
|
InitializeAndTrim(nested_message, max_depth - 1);
|
}
|
}
|
}
|
}
|
|
int32_t Mutator::MutateInt32(int32_t value) { return FlipBit(value, random_); }
|
|
int64_t Mutator::MutateInt64(int64_t value) { return FlipBit(value, random_); }
|
|
uint32_t Mutator::MutateUInt32(uint32_t value) {
|
return FlipBit(value, random_);
|
}
|
|
uint64_t Mutator::MutateUInt64(uint64_t value) {
|
return FlipBit(value, random_);
|
}
|
|
float Mutator::MutateFloat(float value) { return FlipBit(value, random_); }
|
|
double Mutator::MutateDouble(double value) { return FlipBit(value, random_); }
|
|
bool Mutator::MutateBool(bool value) { return !value; }
|
|
size_t Mutator::MutateEnum(size_t index, size_t item_count) {
|
if (item_count <= 1) return 0;
|
return (index + 1 + GetRandomIndex(random_, item_count - 1)) % item_count;
|
}
|
|
std::string Mutator::MutateString(const std::string& value,
|
size_t size_increase_hint) {
|
std::string result = value;
|
|
while (!result.empty() && GetRandomBool(random_)) {
|
result.erase(GetRandomIndex(random_, result.size()), 1);
|
}
|
|
while (result.size() < size_increase_hint && GetRandomBool(random_)) {
|
size_t index = GetRandomIndex(random_, result.size() + 1);
|
result.insert(result.begin() + index, GetRandomIndex(random_, 1 << 8));
|
}
|
|
if (result != value) return result;
|
|
if (result.empty()) {
|
result.push_back(GetRandomIndex(random_, 1 << 8));
|
return result;
|
}
|
|
if (!result.empty())
|
FlipBit(result.size(), reinterpret_cast<uint8_t*>(&result[0]), random_);
|
return result;
|
}
|
|
std::string Mutator::MutateUtf8String(const std::string& value,
|
size_t size_increase_hint) {
|
std::string str = MutateString(value, size_increase_hint);
|
FixUtf8String(&str, random_);
|
return str;
|
}
|
|
} // namespace protobuf_mutator
|
