diff --git a/README.md b/README.md index 842214e..d0c33ea 100644 --- a/README.md +++ b/README.md @@ -94,23 +94,43 @@ is going to be rejected by fuzzed code. E.g. code may expect consistency between or it may use some fields as checksums. Such constraints are going to be significant bottleneck for fuzzer even if it's capable of inserting acceptable values with time. -PostProcessorRegistration can be used to avoid such issue and guide your fuzzer towards interesing +PostProcessorRegistration can be used to avoid such issue and guide your fuzzer towards interesting code. It registers callback which will be called for each message of particular type after each mutation. ``` DEFINE_PROTO_FUZZER(const MyMessageType& input) { static PostProcessorRegistration reg = { [](MyMessageType* message, unsigned int seed) { - TweakMyMessageType(message, seed); + TweakMyMessage(message, seed); }}; // Code which needs to be fuzzed. ConsumeMyMessageType(input); } ``` - Optional: Use seed if callback uses random numbers. It may help later with debugging. +Note: You can add callback for any nested message and you can add multiple callbacks for +the same message type. +``` +DEFINE_PROTO_FUZZER(const MyMessageType& input) { + static PostProcessorRegistration reg1 = { + [](MyMessageType* message, unsigned int seed) { + TweakMyMessage(message, seed); + }}; + static PostProcessorRegistration reg2 = { + [](MyMessageType* message, unsigned int seed) { + DifferentTweakMyMessage(message, seed); + }}; + static PostProcessorRegistration reg_nested = { + [](MyMessageType::Nested* message, unsigned int seed) { + TweakMyNestedMessage(message, seed); + }}; + + // Code which needs to be fuzzed. + ConsumeMyMessageType(input); +} +``` ## UTF-8 strings "proto2" and "proto3" handle invalid UTF-8 strings differently. In both cases string should be UTF-8, however only "proto3" enforces that. So if fuzzer is diff --git a/src/mutator.cc b/src/mutator.cc index e4e0305..53ef68e 100644 --- a/src/mutator.cc +++ b/src/mutator.cc @@ -470,10 +470,9 @@ void Mutator::RegisterPostProcessor(const protobuf::Descriptor* desc, void Mutator::ApplyPostProcessing(Message* message) { const Descriptor* descriptor = message->GetDescriptor(); - auto it = post_processors_.find(descriptor); - if (it != post_processors_.end()) { + auto range = post_processors_.equal_range(descriptor); + for (auto it = range.first; it != range.second; ++it) it->second(message, random_()); - } // Now recursively apply custom mutators. const Reflection* reflection = message->GetReflection(); diff --git a/src/mutator.h b/src/mutator.h index 7af7b38..a60c8bb 100644 --- a/src/mutator.h +++ b/src/mutator.h @@ -86,7 +86,8 @@ class Mutator { virtual std::string MutateString(const std::string& value, size_t size_increase_hint); - std::unordered_map post_processors_; + std::unordered_multimap + post_processors_; RandomEngine* random() { return &random_; } diff --git a/src/mutator_test.cc b/src/mutator_test.cc index a86760a..ccaea6c 100644 --- a/src/mutator_test.cc +++ b/src/mutator_test.cc @@ -586,36 +586,48 @@ TYPED_TEST(MutatorTypedTest, FailedMutations) { } TYPED_TEST(MutatorTypedTest, RegisterPostProcessor) { - constexpr char kInitialString[] = " "; - constexpr char kIndicatorString[] = "0123456789abcdef"; - bool custom_mutation = false; - bool regular_mutation = false; - + std::set top_mutations = {"0123456789abcdef", + "abcdef0123456789"}; TestMutator mutator(false); - mutator.RegisterPostProcessor( - TestFixture::Message::descriptor(), - [kIndicatorString](protobuf::Message* message, unsigned int seed) { - typename TestFixture::Message* test_message = - static_cast(message); - if (seed % 2) test_message->set_optional_string(kIndicatorString); - }); + for (auto& v : top_mutations) { + mutator.RegisterPostProcessor( + TestFixture::Message::descriptor(), + [=](protobuf::Message* message, unsigned int seed) { + auto test_message = + static_cast(message); + if (seed % 2) test_message->set_optional_string(v); + }); + } + + std::set nested_mutations = {1234567, 567890}; + for (auto& v : nested_mutations) { + mutator.RegisterPostProcessor( + TestFixture::Message::SubMsg::descriptor(), + [=](protobuf::Message* message, unsigned int seed) { + auto test_message = + static_cast(message); + if (seed % 2) test_message->set_optional_int64(v); + }); + } + + bool regular_mutation = false; for (int j = 0; j < 100000; ++j) { // Include this field to increase the probability of mutation. typename TestFixture::Message message; - message.set_optional_string(kInitialString); + message.set_optional_string("a"); mutator.Mutate(&message, 1000); - if (message.optional_string() == kIndicatorString) { - custom_mutation = true; - } else if (message.optional_string() != kInitialString) { - regular_mutation = true; - } + top_mutations.erase(message.optional_string()); + nested_mutations.erase(message.mutable_sub_message()->optional_int64()); + if (message.optional_string().empty()) regular_mutation = true; - if (custom_mutation && regular_mutation) break; + if (top_mutations.empty() && nested_mutations.empty() && regular_mutation) + break; } - EXPECT_TRUE(custom_mutation); + EXPECT_TRUE(top_mutations.empty()); + EXPECT_TRUE(nested_mutations.empty()); EXPECT_TRUE(regular_mutation); } diff --git a/src/mutator_test_proto2.proto b/src/mutator_test_proto2.proto index 0927775..161ca34 100644 --- a/src/mutator_test_proto2.proto +++ b/src/mutator_test_proto2.proto @@ -93,6 +93,8 @@ message Msg { Msg oneof_msg = 68; } + optional SubMsg sub_message = 69; + required group Group = 70 { required bool required_bool = 1; optional bool optional_bool = 2; diff --git a/src/mutator_test_proto3.proto b/src/mutator_test_proto3.proto index 5fd7507..b3f19f5 100644 --- a/src/mutator_test_proto3.proto +++ b/src/mutator_test_proto3.proto @@ -15,6 +15,10 @@ message Msg3 { ENUM_9 = 9; } + message SubMsg { + int64 optional_int64 = 1; + } + double optional_double = 18; float optional_float = 19; int32 optional_int32 = 20; @@ -71,6 +75,8 @@ message Msg3 { Msg3 oneof_msg = 68; } + SubMsg sub_message = 69; + message EmptyMessage {} message RegressionMessage {