1 // This file is distributed under the University of Illinois Open Source 2 // License. See LICENSE.TXT for details. 3 4 // Make sure the fuzzer eventually finds all possible values of a variable 5 // within a range. 6 #include <cassert> 7 #include <cstdint> 8 #include <cstdio> 9 #include <cstdlib> 10 #include <cstring> 11 #include <set> 12 13 const size_t N = 1 << 12; 14 15 // Define an array of counters that will be understood by libFuzzer 16 // as extra coverage signal. The array must be: 17 // * uint8_t 18 // * in the section named __libfuzzer_extra_counters. 19 // The target code may declare more than one such array. 20 // 21 // Use either `Counters[Idx] = 1` or `Counters[Idx]++;` 22 // depending on whether multiple occurrences of the event 'Idx' 23 // is important to distinguish from one occurrence. 24 #ifdef __linux__ 25 __attribute__((section("__libfuzzer_extra_counters"))) 26 #endif 27 static uint8_t Counters[N]; 28 29 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 30 static std::set<uint16_t> SeenIdx; 31 if (Size != 4) return 0; 32 uint32_t Idx; 33 memcpy(&Idx, Data, 4); 34 Idx %= N; 35 assert(Counters[Idx] == 0); // libFuzzer should reset these between the runs. 36 // Or Counters[Idx]=1 if we don't care how many times this happened. 37 Counters[Idx]++; 38 SeenIdx.insert(Idx); 39 if (SeenIdx.size() == N) { 40 fprintf(stderr, "BINGO: found all values\n"); 41 abort(); 42 } 43 return 0; 44 } 45