summaryrefslogtreecommitdiffstats
path: root/tools/fuzzing/shmem
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /tools/fuzzing/shmem
parentInitial commit. (diff)
downloadfirefox-esr-upstream.tar.xz
firefox-esr-upstream.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tools/fuzzing/shmem')
-rw-r--r--tools/fuzzing/shmem/SharedMemoryFuzzer.cpp122
-rw-r--r--tools/fuzzing/shmem/SharedMemoryFuzzer.h38
-rw-r--r--tools/fuzzing/shmem/moz.build11
3 files changed, 171 insertions, 0 deletions
diff --git a/tools/fuzzing/shmem/SharedMemoryFuzzer.cpp b/tools/fuzzing/shmem/SharedMemoryFuzzer.cpp
new file mode 100644
index 0000000000..49a79fa975
--- /dev/null
+++ b/tools/fuzzing/shmem/SharedMemoryFuzzer.cpp
@@ -0,0 +1,122 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "FuzzingMutate.h"
+#include "FuzzingTraits.h"
+#include "nsDebug.h"
+#include "prenv.h"
+#include "SharedMemoryFuzzer.h"
+
+#define SHMEM_FUZZER_DEFAULT_MUTATION_PROBABILITY 2
+#define SHMEM_FUZZER_DEFAULT_MUTATION_FACTOR 500
+#define SHMEM_FUZZER_LOG(fmt, args...) \
+ if (SharedMemoryFuzzer::IsLoggingEnabled()) { \
+ printf_stderr("[SharedMemoryFuzzer] " fmt "\n", ##args); \
+ }
+
+namespace mozilla {
+namespace ipc {
+
+using namespace fuzzing;
+
+/* static */
+bool SharedMemoryFuzzer::IsLoggingEnabled() {
+ static bool sInitialized = false;
+ static bool sIsLoggingEnabled = false;
+
+ if (!sInitialized) {
+ sIsLoggingEnabled = !!PR_GetEnv("SHMEM_FUZZER_ENABLE_LOGGING");
+ sInitialized = true;
+ }
+ return sIsLoggingEnabled;
+}
+
+/* static */
+bool SharedMemoryFuzzer::IsEnabled() {
+ static bool sInitialized = false;
+ static bool sIsFuzzerEnabled = false;
+
+ if (!sInitialized) {
+ sIsFuzzerEnabled = !!PR_GetEnv("SHMEM_FUZZER_ENABLE");
+ }
+ return sIsFuzzerEnabled;
+}
+
+/* static */
+uint64_t SharedMemoryFuzzer::MutationProbability() {
+ static uint64_t sPropValue = SHMEM_FUZZER_DEFAULT_MUTATION_PROBABILITY;
+ static bool sInitialized = false;
+
+ if (sInitialized) {
+ return sPropValue;
+ }
+ sInitialized = true;
+
+ const char* probability = PR_GetEnv("SHMEM_FUZZER_MUTATION_PROBABILITY");
+ if (probability) {
+ long n = std::strtol(probability, nullptr, 10);
+ if (n != 0) {
+ sPropValue = n;
+ return sPropValue;
+ }
+ }
+ return sPropValue;
+}
+
+/* static */
+uint64_t SharedMemoryFuzzer::MutationFactor() {
+ static uint64_t sPropValue = SHMEM_FUZZER_DEFAULT_MUTATION_FACTOR;
+ static bool sInitialized = false;
+
+ if (sInitialized) {
+ return sPropValue;
+ }
+ sInitialized = true;
+
+ const char* factor = PR_GetEnv("SHMEM_FUZZER_MUTATION_FACTOR");
+ if (factor) {
+ long n = strtol(factor, nullptr, 10);
+ if (n != 0) {
+ sPropValue = n;
+ return sPropValue;
+ }
+ }
+ return sPropValue;
+}
+
+/* static */
+void* SharedMemoryFuzzer::MutateSharedMemory(void* aMemory, size_t aSize) {
+ if (!IsEnabled()) {
+ return aMemory;
+ }
+
+ if (aSize == 0) {
+ /* Shmem opened from foreign handle. */
+ SHMEM_FUZZER_LOG("shmem is of size 0.");
+ return aMemory;
+ }
+
+ if (!aMemory) {
+ /* Memory space is not mapped. */
+ SHMEM_FUZZER_LOG("shmem memory space is not mapped.");
+ return aMemory;
+ }
+
+ // The likelihood when a value gets fuzzed of this object.
+ if (!FuzzingTraits::Sometimes(MutationProbability())) {
+ return aMemory;
+ }
+
+ const size_t max = FuzzingTraits::Frequency(aSize, MutationFactor());
+ SHMEM_FUZZER_LOG("shmem of size: %zu / mutations: %zu", aSize, max);
+ for (size_t i = 0; i < max; i++) {
+ FuzzingMutate::ChangeBit((uint8_t*)aMemory, aSize);
+ }
+ return aMemory;
+}
+
+} // namespace ipc
+} // namespace mozilla
diff --git a/tools/fuzzing/shmem/SharedMemoryFuzzer.h b/tools/fuzzing/shmem/SharedMemoryFuzzer.h
new file mode 100644
index 0000000000..bd862edf6a
--- /dev/null
+++ b/tools/fuzzing/shmem/SharedMemoryFuzzer.h
@@ -0,0 +1,38 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_dom_SharedMemoryFuzzer_h
+#define mozilla_dom_SharedMemoryFuzzer_h
+
+#include <stddef.h>
+#include <stdint.h>
+
+namespace mozilla {
+namespace ipc {
+
+/*
+ * Exposed environment variables:
+ * SHMEM_FUZZER_ENABLE=1
+ * SHMEM_FUZZER_ENABLE_LOGGING=1 (optional)
+ * SHMEM_FUZZER_MUTATION_PROBABILITY=2 (optional)
+ * SHMEM_FUZZER_MUTATION_FACTOR=500 (optional)
+ */
+
+class SharedMemoryFuzzer {
+ public:
+ static void* MutateSharedMemory(void* aMemory, size_t aSize);
+
+ private:
+ static uint64_t MutationProbability();
+ static uint64_t MutationFactor();
+ static bool IsEnabled();
+ static bool IsLoggingEnabled();
+};
+
+} // namespace ipc
+} // namespace mozilla
+
+#endif
diff --git a/tools/fuzzing/shmem/moz.build b/tools/fuzzing/shmem/moz.build
new file mode 100644
index 0000000000..ee9c549920
--- /dev/null
+++ b/tools/fuzzing/shmem/moz.build
@@ -0,0 +1,11 @@
+# -*- Mode: python; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+UNIFIED_SOURCES += ["SharedMemoryFuzzer.cpp"]
+
+EXPORTS.mozilla.ipc += ["SharedMemoryFuzzer.h"]
+
+FINAL_LIBRARY = "xul"