Prepare fuzzing engine

src/fuzzing-engine/CMakeLists.txt

@@ -0,0 +1,21 @@
+file(GLOB_RECURSE SRC_FILES CONFIGURE_DEPENDS
+  *.cpp
+  *.hpp
+  *.rc
+)
+
+list(SORT SRC_FILES)
+
+add_library(fuzzing-engine ${SRC_FILES})
+
+momo_assign_source_group(${SRC_FILES})
+
+target_link_libraries(fuzzing-engine PRIVATE
+  common
+)
+
+target_include_directories(fuzzing-engine INTERFACE
+    "${CMAKE_CURRENT_LIST_DIR}"
+)
+
+momo_strip_target(fuzzing-engine)

src/fuzzing-engine/fuzzer.cpp

@@ -0,0 +1,114 @@
+#include "fuzzer.hpp"
+#include "input_generator.hpp"
+
+namespace fuzzer
+{
+	namespace
+	{
+		class fuzzing_context
+		{
+		public:
+			fuzzing_context(input_generator& generator, fuzzing_handler& handler)
+				: generator(generator)
+				  , handler(handler)
+			{
+			}
+
+			void stop()
+			{
+				this->stop_ = true;
+			}
+
+			bool should_stop()
+			{
+				if (this->stop_)
+				{
+					return true;
+				}
+
+				if (!handler.stop())
+				{
+					return false;
+				}
+
+				this->stop_ = true;
+				return true;
+			}
+
+			input_generator& generator;
+			fuzzing_handler& handler;
+
+		private:
+			std::atomic_bool stop_{false};
+		};
+
+		void perform_fuzzing_iteration(const fuzzing_context& context)
+		{
+			context.generator.access_input([&](const std::span<const uint8_t> input)
+			{
+				uint64_t score{0};
+				context.handler.execute(input, [&](uint64_t)
+				{
+					++score;
+				});
+
+				return score;
+			});
+		}
+
+		void worker(fuzzing_context& context)
+		{
+			while (!context.should_stop())
+			{
+				perform_fuzzing_iteration(context);
+			}
+		}
+
+		struct worker_pool
+		{
+			fuzzing_context* context_{nullptr};
+			std::vector<std::thread> workers_{};
+
+			worker_pool(fuzzing_context& context, const size_t concurrency)
+				: context_(&context)
+			{
+				this->workers_.reserve(concurrency);
+
+				for (size_t i = 0; i < concurrency; ++i)
+				{
+					this->workers_.emplace_back([&context]
+					{
+						worker(context);
+					});
+				}
+			}
+
+			~worker_pool()
+			{
+				if (this->workers_.empty())
+				{
+					return;
+				}
+
+				this->context_->stop();
+
+				for (auto& w : this->workers_)
+				{
+					w.join();
+				}
+			}
+		};
+	}
+
+	void run(fuzzing_handler& handler, const size_t concurrency)
+	{
+		input_generator generator{};
+		fuzzing_context context{generator, handler};
+		worker_pool pool{context, concurrency};
+
+		while (!context.should_stop())
+		{
+			std::this_thread::sleep_for(std::chrono::seconds{1});
+		}
+	}
+}

src/fuzzing-engine/fuzzer.hpp

@@ -0,0 +1,31 @@
+#pragma once
+#include <span>
+#include <thread>
+#include <cstdint>
+#include <functional>
+
+namespace fuzzer
+{
+	using coverage_functor = void(uint64_t address);
+
+	enum class execution_result
+	{
+		success,
+		error,
+	};
+
+	struct fuzzing_handler
+	{
+		virtual ~fuzzing_handler() = default;
+
+		virtual execution_result execute(std::span<const uint8_t> data,
+		                                 const std::function<coverage_functor>& coverage_handler) = 0;
+
+		virtual bool stop()
+		{
+			return false;
+		}
+	};
+
+	void run(fuzzing_handler& handler, size_t concurrency = std::thread::hardware_concurrency());
+}

src/fuzzing-engine/input_generator.cpp

@@ -0,0 +1,93 @@
+#include "input_generator.hpp"
+
+namespace fuzzer
+{
+	namespace
+	{
+		constexpr size_t MAX_TOP_SCORER = 20;
+
+		void mutate_input(random_generator& rng, std::vector<uint8_t>& input)
+		{
+			if (input.empty() || rng.get(10) == 0)
+			{
+				const auto new_bytes = rng.get_geometric<size_t>() + 1;
+				input.resize(input.size() + new_bytes);
+			}
+			else if (rng.get(10) == 0)
+			{
+				const auto remove_bytes = rng.get_geometric<size_t>() % input.size();
+				input.resize(input.size() - remove_bytes);
+			}
+
+			const auto mutations = (rng.get_geometric<size_t>() + 1) % input.size();
+
+
+			for (size_t i = 0; i < mutations; ++i)
+			{
+				const auto index = rng.get<size_t>(input.size());
+				input[index] = rng.get<uint8_t>();
+			}
+		}
+	}
+
+	input_generator::input_generator() = default;
+
+	std::vector<uint8_t> input_generator::generate_next_input()
+	{
+		std::vector<uint8_t> input{};
+		std::unique_lock lock{this->mutex_};
+
+		if (!this->top_scorer_.empty())
+		{
+			const auto index = this->rng.get<size_t>() % this->top_scorer_.size();
+			input = this->top_scorer_[index].data;
+		}
+
+		mutate_input(this->rng, input);
+
+		return input;
+	}
+
+	void input_generator::access_input(const std::function<input_handler>& handler)
+	{
+		auto next_input = this->generate_next_input();
+		const auto score = handler(next_input);
+		this->store_input_entry({std::move(next_input), score});
+	}
+
+	void input_generator::store_input_entry(input_entry entry)
+	{
+		std::unique_lock lock{this->mutex_};
+
+		if (entry.score < this->lowest_score && this->rng.get(40) != 0)
+		{
+			return;
+		}
+
+		const auto score = entry.score;
+
+		if (this->top_scorer_.size() < MAX_TOP_SCORER)
+		{
+			this->top_scorer_.emplace_back(std::move(entry));
+		}
+		else
+		{
+			const auto index = this->rng.get<size_t>() % this->top_scorer_.size();
+			this->top_scorer_[index] = std::move(entry);
+		}
+
+		this->lowest_score = score;
+		if (score < this->lowest_score)
+		{
+			return;
+		}
+
+		for (const auto& e : this->top_scorer_)
+		{
+			if (e.score < this->lowest_score)
+			{
+				this->lowest_score = e.score;
+			}
+		}
+	}
+}

src/fuzzing-engine/input_generator.hpp

@@ -0,0 +1,38 @@
+#pragma once
+#include <mutex>
+#include <vector>
+#include <optional>
+#include <functional>
+
+#include "random_generator.hpp"
+
+namespace fuzzer
+{
+	using input_score = uint64_t;
+	using input_handler = input_score(std::span<const uint8_t>);
+
+	struct input_entry
+	{
+		std::vector<uint8_t> data{};
+		input_score score{};
+	};
+
+	class input_generator
+	{
+	public:
+		input_generator();
+
+		void access_input(const std::function<input_handler>& handler);
+
+	private:
+		std::mutex mutex_{};
+		random_generator rng{};
+
+		std::vector<input_entry> top_scorer_{};
+		input_score lowest_score{0};
+
+		std::vector<uint8_t> generate_next_input();
+
+		void store_input_entry(input_entry entry);
+	};
+}

src/fuzzing-engine/random_generator.cpp

@@ -0,0 +1,34 @@
+#include "random_generator.hpp"
+
+namespace fuzzer
+{
+	random_generator::random_generator()
+		: rng_(std::random_device()())
+	{
+	}
+
+	std::mt19937::result_type random_generator::generate_number()
+	{
+		return this->distribution_(this->rng_);
+	}
+
+	void random_generator::fill(void* data, const size_t size)
+	{
+		this->fill(std::span(static_cast<uint8_t*>(data), size));
+	}
+
+	void random_generator::fill(std::span<uint8_t> data)
+	{
+		size_t i = 0;
+		while (i < data.size())
+		{
+			const auto number = this->generate_number();
+
+			const auto remaining_data = data.size() - i;
+			const auto data_to_fill = std::min(remaining_data, sizeof(number));
+
+			memcpy(data.data() + i, &number, data_to_fill);
+			i += data_to_fill;
+		}
+	}
+}

src/fuzzing-engine/random_generator.hpp

@@ -0,0 +1,69 @@
+#pragma once
+#include <span>
+#include <random>
+#include <cstdint>
+
+namespace fuzzer
+{
+	class random_generator
+	{
+	public:
+		random_generator();
+
+		void fill(std::span<uint8_t> data);
+		void fill(void* data, size_t size);
+
+		template <typename T>
+			requires(std::is_trivially_copyable_v<T>)
+		T get()
+		{
+			T value{};
+			this->fill(&value, sizeof(value));
+			return value;
+		}
+
+		template <typename T>
+		T get(const T& max)
+		{
+			return this->get<T>() % max;
+		}
+
+		template <typename T>
+		T get(T min, T max)
+		{
+			if (max < min)
+			{
+				std::swap(max, min);
+			}
+
+			const auto diff = max - min;
+
+			return (this->get<T>() % diff) + min;
+		}
+
+		template <typename T>
+		T get_geometric()
+		{
+			T value{0};
+
+			while (this->get<bool>())
+			{
+				++value;
+			}
+
+			return value;
+		}
+
+	private:
+		std::mt19937 rng_;
+		std::uniform_int_distribution<std::mt19937::result_type> distribution_{};
+
+		std::mt19937::result_type generate_number();
+	};
+
+	template <>
+	inline bool random_generator::get<bool>()
+	{
+		return (this->generate_number() & 1) != 0;
+	}
+}