modfuzz.py 3.78 KB
#!/usr/bin/env python

# To use:
#  1) Update the 'decls' list below with your fuzzing configuration.
#  2) Run with the clang binary as the command-line argument.

from __future__ import absolute_import, division, print_function
import random
import subprocess
import sys
import os

clang = sys.argv[1]
none_opts = 0.3

class Decl(object):
  def __init__(self, text, depends=[], provides=[], conflicts=[]):
    self.text = text
    self.depends = depends
    self.provides = provides
    self.conflicts = conflicts

  def valid(self, model):
    for i in self.depends:
      if i not in model.decls:
        return False
    for i in self.conflicts:
      if i in model.decls:
        return False
    return True

  def apply(self, model, name):
    for i in self.provides:
      model.decls[i] = True
    model.source += self.text % {'name': name}

decls = [
  Decl('struct X { int n; };\n', provides=['X'], conflicts=['X']),
  Decl('static_assert(X{.n=1}.n == 1, "");\n', depends=['X']),
  Decl('X %(name)s;\n', depends=['X']),
]

class FS(object):
  def __init__(self):
    self.fs = {}
    self.prevfs = {}

  def write(self, path, contents):
    self.fs[path] = contents

  def done(self):
    for f, s in self.fs.items():
      if self.prevfs.get(f) != s:
        f = file(f, 'w')
        f.write(s)
        f.close()

    for f in self.prevfs:
      if f not in self.fs:
        os.remove(f)

    self.prevfs, self.fs = self.fs, {}

fs = FS()

class CodeModel(object):
  def __init__(self):
    self.source = ''
    self.modules = {}
    self.decls = {}
    self.i = 0

  def make_name(self):
    self.i += 1
    return 'n' + str(self.i)

  def fails(self):
    fs.write('module.modulemap',
          ''.join('module %s { header "%s.h" export * }\n' % (m, m)
                  for m in self.modules.keys()))

    for m, (s, _) in self.modules.items():
      fs.write('%s.h' % m, s)

    fs.write('main.cc', self.source)
    fs.done()

    return subprocess.call([clang, '-std=c++11', '-c', '-fmodules', 'main.cc', '-o', '/dev/null']) != 0

def generate():
  model = CodeModel()
  m = []

  try:
    for d in mutations(model):
      d(model)
      m.append(d)
    if not model.fails():
      return
  except KeyboardInterrupt:
    print()
    return True

  sys.stdout.write('\nReducing:\n')
  sys.stdout.flush()

  try:
    while True:
      assert m, 'got a failure with no steps; broken clang binary?'
      i = random.choice(list(range(len(m))))
      x = m[0:i] + m[i+1:]
      m2 = CodeModel()
      for d in x:
        d(m2)
      if m2.fails():
        m = x
        model = m2
      else:
        sys.stdout.write('.')
        sys.stdout.flush()
  except KeyboardInterrupt:
    # FIXME: Clean out output directory first.
    model.fails()
    return model

def choose(options):
  while True:
    i = int(random.uniform(0, len(options) + none_opts))
    if i >= len(options):
      break
    yield options[i]

def mutations(model):
  options = [create_module, add_top_level_decl]
  for opt in choose(options):
    yield opt(model, options)

def create_module(model, options):
  n = model.make_name()
  def go(model):
    model.modules[n] = (model.source, model.decls)
    (model.source, model.decls) = ('', {})
  options += [lambda model, options: add_import(model, options, n)]
  return go

def add_top_level_decl(model, options):
  n = model.make_name()
  d = random.choice([decl for decl in decls if decl.valid(model)])
  def go(model):
    if not d.valid(model):
      return
    d.apply(model, n)
  return go

def add_import(model, options, module_name):
  def go(model):
    if module_name in model.modules:
      model.source += '#include "%s.h"\n' % module_name
      model.decls.update(model.modules[module_name][1])
  return go

sys.stdout.write('Finding bug: ')
while True:
  if generate():
    break
  sys.stdout.write('.')
  sys.stdout.flush()