fuzzing

Enumerations

enum AsyncDequeState

Name	Value

Forward declarations.

enum Signal

Name	Value
kSync	kSyncSignal
kStart	kStartSignal
kFinish	kFinishSignal
kStartLeakCheck	kStartSignal \| kLeakSignal
kFinishWithLeaks	kFinishSignal \| kLeakSignal

This enum renames some Zircon user signals to associate them with certain actions performed by

the engine.

Defined at line 24 of file ../../src/sys/fuzzing/common/async-eventpair.h

enum Mutation

Name	Value
kSkipSome	0
kShuffle	1
kReplaceSome	2
kFlip	3
kReplaceOne	4
kReplaceUnsigned	5
kReplaceNum	6
kMergeReplace	7
kInsertSome	8
kMergeInsert	9
kInsertOne	10
kInsertRepeated	11

Describes the types of mutation corresponding to the |Mutagen| methods below, and is used to

record the sequence of mutations.

The order here matters, as |Mutagen::Mutate| violates the abstraction a bit to get better

performance: it uses the ordering to constrain which mutations to pick from based on the input

size and output capacity.

TODO(https://fxbug.dev/42165145): This is currently missing a strategy to pull from the dictionary.

TODO(https://fxbug.dev/42166193): Add support for data-flow-guided fuzzing.

Defined at line 28 of file ../../src/sys/fuzzing/realmfuzzer/engine/mutagen.h

Records

class AsyncDequeTest_MultipleThreads_Test

class AsyncDequeTest_ReceiveAfterCancel_Test

class AsyncDequeTest_ReceiveBeforeSend_Test

```
class AsyncDequeTest_Reset_Test
```

class AsyncDequeTest_SendBeforeReceive_Test

class AsyncEventPairTest_IsConnected_Test

```
class AsyncEventPairTest_Pair_Test
```

class AsyncEventPairTest_SignalPeer_Test

class AsyncEventPairTest_SignalSelf_Test

class AsyncSocketTest_ReadAndWriteArtifact_Test

class AsyncSocketTest_ReadAndWriteEmptyArtifact_Test

class AsyncSocketTest_ReadAndWriteEmptyInput_Test

class AsyncSocketTest_ReadAndWriteInput_Test

class AsyncSocketTest_ReadAndWriteLargeArtifact_Test

class AsyncSocketTest_ReadAndWriteLargeInput_Test

class ChildProcessTest_ReadFromStderr_Test

class ChildProcessTest_ReadFromStdout_Test

class ControllerProviderTest_Connect_Test

class CorpusReaderClientTest_SendEmpty_Test

class CorpusReaderClientTest_SendPartial_Test

class CoverageDataProviderClientTest_GetModule_Test

class CoverageDataProviderClientTest_GetProcess_Test

class CoverageDataProviderClientTest_SetOptions_Test

class LibFuzzerIntegrationTest_RunBounded_Test

class LibFuzzerIntegrationTest_TryCrashingInput_Test

class LibFuzzerRunnerTest_CleanseAlreadyClean_Test

class LibFuzzerRunnerTest_CleanseNoReplacement_Test

class LibFuzzerRunnerTest_CleanseTwoBytes_Test

class LibFuzzerRunnerTest_DISABLED_Stop_Test

class LibFuzzerRunnerTest_FuzzUntilError_Test

class LibFuzzerRunnerTest_FuzzUntilRuns_Test

class LibFuzzerRunnerTest_FuzzUntilTime_Test

class LibFuzzerRunnerTest_InitializeCorpus_Test

class LibFuzzerRunnerTest_InitializeDictionary_Test

class LibFuzzerRunnerTest_MergeSeedError_Test

```
class LibFuzzerRunnerTest_Merge_Test
```

class LibFuzzerRunnerTest_MinimizeEmpty_Test

class LibFuzzerRunnerTest_MinimizeNewError_Test

class LibFuzzerRunnerTest_MinimizeNoError_Test

class LibFuzzerRunnerTest_MinimizeOneByte_Test

class LibFuzzerRunnerTest_MinimizeReduceByTwo_Test

class LibFuzzerRunnerTest_TryOneNoError_Test

class LibFuzzerRunnerTest_TryOneWithError_Test

class LibFuzzerRunnerTest_TryOneWithLeak_Test

```
class LibFuzzerStatsTest_Format_Test
```

class LibFuzzerStatsTest_ParseCertFuzzerStats_Test

class LibFuzzerStatsTest_ParseTestFuzzerStats_Test

class LibFuzzerTestIntegrationTest_RunAsTest_Test

class ProcessTest_ConnectAndAddModules_Test

class ProcessTest_ConnectBadModules_Test

class ProcessTest_ConnectDisableLimits_Test

class ProcessTest_ConnectLateModules_Test

```
class ProcessTest_ConnectProcess_Test
```

class ProcessTest_ConnectWithDefaultOptions_Test

```
class ProcessTest_FinishWithLeaks_Test
```

class ProcessTest_FinishWithoutLeaks_Test

class RealmFuzzerIntegrationTest_RunBounded_Test

class RealmFuzzerIntegrationTest_TryCrashingInput_Test

class RealmFuzzerTestIntegrationTest_RunAsTest_Test

class RegistryIntegrationTest_ConnectThenRegister_Test

class RegistryIntegrationTest_ConnectThenTimeout_Test

class RegistryIntegrationTest_RegisterThenConnect_Test

class TargetAdapterClientTest_Disconnect_Test

class TargetAdapterClientTest_GetParameters_Test

class TargetAdapterClientTest_TestOneInput_Test

Functions

```
ZxResult<RunnerPtr> MakeFakeRunnerPtr (ComponentContext & context)
```
Defined at line 10 of file ../../src/sys/fuzzing/common/testing/engine-main.cc
```
ZxResult<RunnerPtr> MakeRealmFuzzerRunnerPtr (ComponentContext & context)
```
Defined at line 10 of file ../../src/sys/fuzzing/realmfuzzer/engine/engine-main.cc
```
zx_status_t RunLibFuzzerRelay ()
```
Defined at line 10 of file ../../src/sys/fuzzing/libfuzzer/testing/relay-main.cc
```
Status CopyStatus (const Status & status)
```
Utility method for copying status objects.

Defined at line 12 of file ../../src/sys/fuzzing/common/status.cc
```
ZxResult<RunnerPtr> MakeLibFuzzerRunnerPtr (ComponentContext & context)
```
Defined at line 13 of file ../../src/sys/fuzzing/libfuzzer/engine-main.cc
```
zx_status_t RunLLVMTargetAdapter (const std::vector<std::string> & args)
```
Defined at line 13 of file ../../src/sys/fuzzing/realmfuzzer/adapters/llvm-main.cc
```
ZxPromise<Artifact> WatchArtifact (const ExecutorPtr & executor, ControllerPtr & controller)
```
Helper function to get an optional FIDL artifact from the given |controller| and convert it to an

optional |Artifact| while preserving errors.

Defined at line 13 of file ../../src/sys/fuzzing/common/testing/artifact.cc

bool ParseLibFuzzerStats (std::string_view line, UpdateReason * reason, Status * status)

Defined at line 17 of file ../../src/sys/fuzzing/libfuzzer/stats.cc

```
zx_status_t RunTestTarget ()
```
Defined at line 20 of file ../../src/sys/fuzzing/realmfuzzer/testing/target-main.cc
```
uint64_t GetTargetId (const zx::process & process)
```
Returns the target identifier for the given |process|.

Defined at line 30 of file ../../src/sys/fuzzing/realmfuzzer/engine/coverage-data.cc
```
ZxPromise<Input> AsyncSocketRead (const ExecutorPtr & executor, FidlInput fidl_input)
```
Creates a promise to read data from the |fidl_input| or |fidl_artifact| received by a FIDL call

into a corresponding |Input| or |Artifact|. These methods take ownership of their inputs to

ensure they live as long as the returned promises.

Example:

auto fidl_input = my_sync_ptr->MyFidlMethod();

AsyncSocketRead(executor(), std::move(fidl_input))

.and_then([

&

] (Input

&

received) { DoSomething(received); ... }));

Defined at line 74 of file ../../src/sys/fuzzing/common/async-socket.cc
```
zx_status_t GetStatsForProcess (const zx::process & process, ProcessStats * out)
```
Collect process-related statistics for a Zircon process. This function is kept standalone and

separate from, e.g., the engine's |ProcessProxy| class or the target's |Process| class in order

to be available to multiple usages when implementing FIDL methods within the controller.

Defined at line 45 of file ../../src/sys/fuzzing/common/status.cc

ZxPromise<Artifact> AsyncSocketRead (const ExecutorPtr & executor, FidlArtifact fidl_artifact)

Defined at line 89 of file ../../src/sys/fuzzing/common/async-socket.cc

std::string FormatLibFuzzerStats (UpdateReason reason, const Status & status)

Defined at line 105 of file ../../src/sys/fuzzing/libfuzzer/stats.cc

```
uint64_t GetTargetId (const zx::vmo & inline_8bit_counters)
```
Returns target identifier encoded in the name of the |inline_8bit_counters| VMO, or

|kInvalidTargetId| if no identifier could be parsed.

Defined at line 40 of file ../../src/sys/fuzzing/realmfuzzer/engine/coverage-data.cc
```
OptionsPtr MakeOptions ()
```
Defined at line 25 of file ../../src/sys/fuzzing/common/options.cc
```
uint64_t GetTargetId (const std::string & id)
```
Returns the target identifier encoded in the given |id|, or |kInvalidTargetId| if no

identifier could be parsed.

Defined at line 44 of file ../../src/sys/fuzzing/realmfuzzer/engine/coverage-data.cc
```
Options CopyOptions (const Options & options)
```
Provides the ability to copy Options, as the FIDL-generated struct implicitly deletes the

copy-constructor.

Defined at line 31 of file ../../src/sys/fuzzing/common/options.cc
```
Options CopyOptions (const OptionsPtr & options)
```
Defined at line 38 of file ../../src/sys/fuzzing/common/options.cc
```
std::string GetModuleId (const zx::vmo & inline_8bit_counters)
```
Returns the module identifier encoded in the name of the |inline_8bit_counters| VMO, or an empty

string if no identifier could be parsed.

Defined at line 60 of file ../../src/sys/fuzzing/realmfuzzer/engine/coverage-data.cc
```
void SetOptions (Options * options, const Options & overrides)
```
Applies any set values in |overrides| to the given set of |options|.

Defined at line 40 of file ../../src/sys/fuzzing/common/options.cc
```
void AddDefaults (Options * options)
```
Sets any missing options to their default values.

Defined at line 63 of file ../../src/sys/fuzzing/common/options.cc
```
ZxPromise<> AwaitConsumer (Consumer<> consumer)
```
Returns a promise to wait for a `Consumer` to be completed by its associated `Completer`.

These explicit overrides do not return values on success. They return ZX_ERR_CANCELED if the

associated completer is destroyed.

Defined at line 29 of file ../../src/sys/fuzzing/common/async-types.cc
```
ZxPromise<> AwaitConsumer (Consumer<zx_status_t> consumer)
```
Defined at line 35 of file ../../src/sys/fuzzing/common/async-types.cc
```
ZxPromise<> AwaitConsumer (ZxConsumer<> consumer)
```
Defined at line 41 of file ../../src/sys/fuzzing/common/async-types.cc
```
ZxPromise<> ConsumeBridge (Bridge<> & bridge)
```
Returns a promise to wait for a bridge's consumer to be completed by its associated `Completer`.

These explicit overrides do not return values on success. They return ZX_ERR_CANCELED if the

associated completer is destroyed.

Defined at line 45 of file ../../src/sys/fuzzing/common/async-types.cc
```
std::ostream & operator<< (std::ostream & os, const Input & input)
```
This method allows easier printing by gTest.

Defined at line 46 of file ../../src/sys/fuzzing/common/input.h
```
ZxPromise<> ConsumeBridge (Bridge<zx_status_t> & bridge)
```
Defined at line 47 of file ../../src/sys/fuzzing/common/async-types.cc
```
template <typename RunnerPtrMaker>
```
```
zx_status_t RunEngine (int argc, char ** argv, RunnerPtrMaker MakeRunnerPtr)
```
Starts the engine with runner provided by `MakeRunnerPtr`, which should have the signature:

`ZxResult

<RunnerPtr

>(ComponentContext

&

)`.

Defined at line 60 of file ../../src/sys/fuzzing/common/engine.h
```
std::string GetModuleId (const std::string & id)
```
Returns the module identifier encoded in the given |id|, or an empty string if no

identifier could be parsed.

Defined at line 64 of file ../../src/sys/fuzzing/realmfuzzer/engine/coverage-data.cc
```
ExecutorPtr MakeExecutor (async_dispatcher_t * dispatcher)
```
Defined at line 11 of file ../../src/sys/fuzzing/common/async-types.cc
```
ZxResult<> AsZxResult (zx_status_t status)
```
Converts a status code result to a |ZxResult|.

Defined at line 15 of file ../../src/sys/fuzzing/common/async-types.cc
```
ZxResult<> AsZxResult (const Result<zx_status_t> & result)
```
Defined at line 22 of file ../../src/sys/fuzzing/common/async-types.cc

bool ExtractFlag (const std::string & flag, int * argc, char ** argv)

Defined at line 55 of file ../../src/lib/fuzzing/cpp/fuzzer_test.cc

```
void SetCoverage (size_t index, uint8_t value)
```
Defined at line 70 of file ../../src/sys/fuzzing/common/testing/sanitizer.cc
```
void Malloc (size_t size)
```
Defined at line 72 of file ../../src/sys/fuzzing/common/testing/sanitizer.cc
```
void LeakMemory ()
```
Defined at line 74 of file ../../src/sys/fuzzing/common/testing/sanitizer.cc
```
void Die ()
```
Defined at line 76 of file ../../src/sys/fuzzing/common/testing/sanitizer.cc
```
template <typename V = void>
```
```
fit::function<void (ZxResult<V>)> ZxBind (typename ZxBridge<V>::completer_type && completer)
```
Like |Completer::bind|, but can handle |zx_status_t| errors. This is useful for bridging FIDL

callbacks for methods like "... -> ... error zx.Status;".

Defined at line 84 of file ../../src/sys/fuzzing/common/async-types.h
```
template <typename T>
```
```
ZxPromise<T> AwaitConsumer (Consumer<T> consumer)
```
Like `AwaitConsumer` above, but these also returns a value on success.

Defined at line 113 of file ../../src/sys/fuzzing/common/async-types.h
```
FidlInput AsyncSocketWrite (const ExecutorPtr & executor, const Input & input)
```
Schedules a task to write data from an |input| or |artifact| to a corresponding |FidlInput| or

|FidlArtifact|, which is returned.

Example:

Input my_input("example");

auto fidl_input = AsyncSocketWrite(executor(), my_input);

my_ptr->MyFidlMethod(std::move(fidl_input);

Defined at line 118 of file ../../src/sys/fuzzing/common/async-socket.cc

template <typename T>

ZxPromise<T> AwaitConsumer (ZxConsumer<T> consumer)

Defined at line 120 of file ../../src/sys/fuzzing/common/async-types.h

```
template <typename B>
```
```
ZxPromise<typename B::value_type> ConsumeBridge (B & bridge)
```
Like `ConsumeBridge` above, but also returns a value on success.

Defined at line 134 of file ../../src/sys/fuzzing/common/async-types.h

FidlArtifact AsyncSocketWrite (const ExecutorPtr & executor, const Artifact & artifact)

Defined at line 142 of file ../../src/sys/fuzzing/common/async-socket.cc

```
void MakeCorpus (const std::string & pkg_path, std::initializer_list<const char *> inputs, std::vector<Input> * out)
```
Creates a directory at `pkg_path`. For each input in `inputs`, creates a file under `pkg_path`

with name and contents matching that input, and adds a corresponding `Input` to `out`. The

returned inputs are guaranteed to be sorted and unique. This should be called as part of a test

using `ASSERT_NO_FATAL_FAILURES`, e.g.

std::vector

<Input

> corpus;

ASSERT_NO_FATAL_FAILURE(MakeCorpus("/tmp/my-test/corpus", {"foo", "bar"},

&corpus

));

Defined at line 270 of file ../../src/sys/fuzzing/common/testing/runner.cc
```
void WriteInput (const std::string & pkg_pathInput contents)
```
Makes a packaged input file suitable for testing.

Writes `contents` to a file at `pkg_path`, creating any intermediary directories in the

process. This should be called as part of a test using `ASSERT_NO_FATAL_FAILURES`, e.g.

ASSERT_NO_FATAL_FAILURE(WriteInput("/tmp/my-test/dictionary", Input("key=\"val

"

)));

Defined at line 283 of file ../../src/sys/fuzzing/common/testing/runner.cc

Variables

const char * kFakeFuzzerUrl

Defined at line 13 of file ../../src/sys/fuzzing/common/testing/registrar.cc

const char * kEcho

Defined at line 17 of file ../../src/sys/fuzzing/common/child-process-unittest.cc

const char * kTestEngineBin

Defined at line 21 of file ../../src/sys/fuzzing/common/engine-unittest.cc

const char * kFakeRunnerFlag

Defined at line 42 of file ../../src/sys/fuzzing/common/testing/runner.cc

InstrumentedProcess gInstrumented

Defined at line 48 of file ../../src/sys/fuzzing/realmfuzzer/target/instrumented-process.cc

FakeSanitizerRuntime gFakeSanitizerRuntime

Defined at line 68 of file ../../src/sys/fuzzing/common/testing/sanitizer.cc