Make fuzzer thread safe

2026-01-27 23:11:02 +00:00 · 2024-09-24 15:38:01 +02:00
parent 10b09b8f51
commit 7547fee251
8 changed files with 76 additions and 61 deletions
--- a/src/fuzzing-engine/fuzzer.cpp
+++ b/src/fuzzing-engine/fuzzer.cpp
@@ -8,7 +8,7 @@ namespace fuzzer
 		class fuzzing_context
 		{
 		public:
-			fuzzing_context(input_generator& generator, fuzzing_handler& handler)
+			fuzzing_context(input_generator& generator, handler& handler)
 				: generator(generator)
 				  , handler(handler)
 			{
@@ -36,31 +36,38 @@ namespace fuzzer
 			}

 			input_generator& generator;
-			fuzzing_handler& handler;
+			handler& handler;

 		private:
 			std::atomic_bool stop_{false};
 		};

-		void perform_fuzzing_iteration(const fuzzing_context& context)
+		void perform_fuzzing_iteration(const fuzzing_context& context, executer& executer)
 		{
 			context.generator.access_input([&](const std::span<const uint8_t> input)
 			{
 				uint64_t score{0};
-				context.handler.execute(input, [&](uint64_t)
+				const auto result = executer.execute(input, [&](uint64_t)
 				{
 					++score;
 				});

+				if(result == execution_result::error)
+				{
+					printf("Found error!");
+				}
+
 				return score;
 			});
 		}

 		void worker(fuzzing_context& context)
 		{
+			const auto executer = context.handler.make_executer();
+
 			while (!context.should_stop())
 			{
-				perform_fuzzing_iteration(context);
+				perform_fuzzing_iteration(context, *executer);
 			}
 		}

@@ -100,7 +107,7 @@ namespace fuzzer
 		};
 	}

-	void run(fuzzing_handler& handler, const size_t concurrency)
+	void run(handler& handler, const size_t concurrency)
 	{
 		input_generator generator{};
 		fuzzing_context context{generator, handler};
--- a/src/fuzzing-engine/fuzzer.hpp
+++ b/src/fuzzing-engine/fuzzer.hpp
@@ -1,5 +1,6 @@
 #pragma once
 #include <span>
+#include <memory>
 #include <thread>
 #include <cstdint>
 #include <functional>
@@ -14,12 +15,19 @@ namespace fuzzer
 		error,
 	};

-	struct fuzzing_handler
+	struct executer
 	{
-		virtual ~fuzzing_handler() = default;
+		virtual ~executer() = default;

 		virtual execution_result execute(std::span<const uint8_t> data,
-		                                 const std::function<coverage_functor>& coverage_handler) = 0;
+			const std::function<coverage_functor>& coverage_handler) = 0;
+	};
+
+	struct handler
+	{
+		virtual ~handler() = default;
+
+		virtual std::unique_ptr<executer> make_executer() = 0;

 		virtual bool stop()
 		{
@@ -27,5 +35,5 @@ namespace fuzzer
 		}
 	};

-	void run(fuzzing_handler& handler, size_t concurrency = std::thread::hardware_concurrency());
+	void run(handler& handler, size_t concurrency = std::thread::hardware_concurrency());
 }
--- a/src/fuzzing-engine/input_generator.cpp
+++ b/src/fuzzing-engine/input_generator.cpp
@@ -8,7 +8,7 @@ namespace fuzzer

 		void mutate_input(random_generator& rng, std::vector<uint8_t>& input)
 		{
-			if (input.empty() || rng.get(10) == 0)
+			if (input.empty() || rng.get(3) == 0)
 			{
 				const auto new_bytes = rng.get_geometric<size_t>() + 1;
 				input.resize(input.size() + new_bytes);