drfuzz_mutator.h File Reference

Header specifying the Dr. Fuzz mutator library interface. More...

#include "drmemory_framework.h"

Functions
LIB_EXPORT drmf_status_t LIBFUNC()	drfuzz_mutator_start (OUT drfuzz_mutator_t **mutator, IN void *input_seed, IN size_t size, IN int argc, IN const char *argv[])
LIB_EXPORT bool LIBFUNC()	drfuzz_mutator_has_next_value (drfuzz_mutator_t *mutator)
LIB_EXPORT drmf_status_t LIBFUNC()	drfuzz_mutator_get_current_value (IN drfuzz_mutator_t *mutator, OUT void *buffer)
LIB_EXPORT drmf_status_t LIBFUNC()	drfuzz_mutator_get_next_value (drfuzz_mutator_t *mutator, OUT void *buffer)
LIB_EXPORT drmf_status_t LIBFUNC()	drfuzz_mutator_stop (drfuzz_mutator_t *mutator)
LIB_EXPORT drmf_status_t LIBFUNC()	drfuzz_mutator_feedback (drfuzz_mutator_t *mutator, int feedback)

Detailed Description

Header specifying the Dr. Fuzz mutator library interface.

To create a new mutator library, include this header in your library compilation (leaving DYNAMIC_INTERFACE undefined) and implement the interface functions defined below. You will need to ensure that drmemory_framework.h is on the include path as well for drmf_status_t.

Function Documentation

drfuzz_mutator_feedback()

LIB_EXPORT drmf_status_t LIBFUNC() drfuzz_mutator_feedback	(	drfuzz_mutator_t *	mutator,
		int	feedback
	)

Provides feedback to the mutator about the effect of the last mutation. The meaning of feedback can be specified by custom mutators. If the meaning of feedback is not specified, 0 means neutral, and the greater the value of feedback is, the more effective the last mutation is.

Note

This function must be called to enable feedback guided mutation. For example, in Dr. Memory fuzz testing mode, the option -fuzz_coverage must be specified for any custom mutator that supports feedback guided mutation.

drfuzz_mutator_get_current_value()

LIB_EXPORT drmf_status_t LIBFUNC() drfuzz_mutator_get_current_value	(	IN drfuzz_mutator_t *	mutator,
		OUT void *	buffer
	)

Provides a copy of the current mutator value. Returns DRMF_SUCCESS on success.

drfuzz_mutator_get_next_value()

LIB_EXPORT drmf_status_t LIBFUNC() drfuzz_mutator_get_next_value	(	drfuzz_mutator_t *	mutator,
		OUT void *	buffer
	)

Writes the next fuzz value to the provided buffer. Returns DRMF_SUCCESS on success.

drfuzz_mutator_has_next_value()

LIB_EXPORT bool LIBFUNC() drfuzz_mutator_has_next_value

(

drfuzz_mutator_t *

mutator

)

Returns true if the mutator can generate the next value. Generally this is only relevant for mutators using a sequential algorithm.

drfuzz_mutator_start()

LIB_EXPORT drmf_status_t LIBFUNC() drfuzz_mutator_start	(	OUT drfuzz_mutator_t **	mutator,
		IN void *	input_seed,
		IN size_t	size,
		IN int	argc,
		IN const char *	argv[]
	)

Initiate mutation on a buffer. Returns DRMF_SUCCESS on success.

Parameters

[out]	mutator	Return argument for the newly initiated mutator.
[in]	input_seed	Pointer to the seed instance of the buffer to mutate.
[in]	size	The number of bytes in the buffer.
[in]	argc	The number of arguments to customize the mutator.
[in]	argv	An array of argc arguments to customize the mutator.

drfuzz_mutator_stop()

LIB_EXPORT drmf_status_t LIBFUNC() drfuzz_mutator_stop

(

drfuzz_mutator_t *

mutator

)

Clean up resources allocated for the mutator. Returns DRMF_SUCCESS on success.