summaryrefslogtreecommitdiffstats
path: root/tools/fuzzing/shmem/SharedMemoryFuzzer.cpp
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 14:29:10 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 14:29:10 +0000
commit2aa4a82499d4becd2284cdb482213d541b8804dd (patch)
treeb80bf8bf13c3766139fbacc530efd0dd9d54394c /tools/fuzzing/shmem/SharedMemoryFuzzer.cpp
parentInitial commit. (diff)
downloadfirefox-2aa4a82499d4becd2284cdb482213d541b8804dd.tar.xz
firefox-2aa4a82499d4becd2284cdb482213d541b8804dd.zip
Adding upstream version 86.0.1.upstream/86.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tools/fuzzing/shmem/SharedMemoryFuzzer.cpp')
-rw-r--r--tools/fuzzing/shmem/SharedMemoryFuzzer.cpp122
1 files changed, 122 insertions, 0 deletions
diff --git a/tools/fuzzing/shmem/SharedMemoryFuzzer.cpp b/tools/fuzzing/shmem/SharedMemoryFuzzer.cpp
new file mode 100644
index 0000000000..49a79fa975
--- /dev/null
+++ b/tools/fuzzing/shmem/SharedMemoryFuzzer.cpp
@@ -0,0 +1,122 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "FuzzingMutate.h"
+#include "FuzzingTraits.h"
+#include "nsDebug.h"
+#include "prenv.h"
+#include "SharedMemoryFuzzer.h"
+
+#define SHMEM_FUZZER_DEFAULT_MUTATION_PROBABILITY 2
+#define SHMEM_FUZZER_DEFAULT_MUTATION_FACTOR 500
+#define SHMEM_FUZZER_LOG(fmt, args...) \
+ if (SharedMemoryFuzzer::IsLoggingEnabled()) { \
+ printf_stderr("[SharedMemoryFuzzer] " fmt "\n", ##args); \
+ }
+
+namespace mozilla {
+namespace ipc {
+
+using namespace fuzzing;
+
+/* static */
+bool SharedMemoryFuzzer::IsLoggingEnabled() {
+ static bool sInitialized = false;
+ static bool sIsLoggingEnabled = false;
+
+ if (!sInitialized) {
+ sIsLoggingEnabled = !!PR_GetEnv("SHMEM_FUZZER_ENABLE_LOGGING");
+ sInitialized = true;
+ }
+ return sIsLoggingEnabled;
+}
+
+/* static */
+bool SharedMemoryFuzzer::IsEnabled() {
+ static bool sInitialized = false;
+ static bool sIsFuzzerEnabled = false;
+
+ if (!sInitialized) {
+ sIsFuzzerEnabled = !!PR_GetEnv("SHMEM_FUZZER_ENABLE");
+ }
+ return sIsFuzzerEnabled;
+}
+
+/* static */
+uint64_t SharedMemoryFuzzer::MutationProbability() {
+ static uint64_t sPropValue = SHMEM_FUZZER_DEFAULT_MUTATION_PROBABILITY;
+ static bool sInitialized = false;
+
+ if (sInitialized) {
+ return sPropValue;
+ }
+ sInitialized = true;
+
+ const char* probability = PR_GetEnv("SHMEM_FUZZER_MUTATION_PROBABILITY");
+ if (probability) {
+ long n = std::strtol(probability, nullptr, 10);
+ if (n != 0) {
+ sPropValue = n;
+ return sPropValue;
+ }
+ }
+ return sPropValue;
+}
+
+/* static */
+uint64_t SharedMemoryFuzzer::MutationFactor() {
+ static uint64_t sPropValue = SHMEM_FUZZER_DEFAULT_MUTATION_FACTOR;
+ static bool sInitialized = false;
+
+ if (sInitialized) {
+ return sPropValue;
+ }
+ sInitialized = true;
+
+ const char* factor = PR_GetEnv("SHMEM_FUZZER_MUTATION_FACTOR");
+ if (factor) {
+ long n = strtol(factor, nullptr, 10);
+ if (n != 0) {
+ sPropValue = n;
+ return sPropValue;
+ }
+ }
+ return sPropValue;
+}
+
+/* static */
+void* SharedMemoryFuzzer::MutateSharedMemory(void* aMemory, size_t aSize) {
+ if (!IsEnabled()) {
+ return aMemory;
+ }
+
+ if (aSize == 0) {
+ /* Shmem opened from foreign handle. */
+ SHMEM_FUZZER_LOG("shmem is of size 0.");
+ return aMemory;
+ }
+
+ if (!aMemory) {
+ /* Memory space is not mapped. */
+ SHMEM_FUZZER_LOG("shmem memory space is not mapped.");
+ return aMemory;
+ }
+
+ // The likelihood when a value gets fuzzed of this object.
+ if (!FuzzingTraits::Sometimes(MutationProbability())) {
+ return aMemory;
+ }
+
+ const size_t max = FuzzingTraits::Frequency(aSize, MutationFactor());
+ SHMEM_FUZZER_LOG("shmem of size: %zu / mutations: %zu", aSize, max);
+ for (size_t i = 0; i < max; i++) {
+ FuzzingMutate::ChangeBit((uint8_t*)aMemory, aSize);
+ }
+ return aMemory;
+}
+
+} // namespace ipc
+} // namespace mozilla