infix
A JIT-Powered FFI Library for C
Loading...
Searching...
No Matches
Classes | Macros | Functions
fuzz_helpers.h File Reference

Common definitions, structures, and helpers for all fuzzer targets. More...

#include "common/infix_internals.h"
#include <infix/infix.h>
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
Include dependency graph for fuzz_helpers.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes

struct  fuzzer_input
 Represents the fuzzer's input data as a consumable stream. More...
 

Macros

#define MAX_RECURSION_DEPTH   32
 A hard limit on the recursion depth for generate_random_type to prevent stack overflows.
 
#define MAX_MEMBERS   16
 A limit on the number of members in a randomly generated struct or union.
 
#define MAX_ARRAY_ELEMENTS   128
 A limit on the number of elements in a randomly generated array.
 
#define MAX_TYPES_IN_POOL   16
 The number of random types to generate and place in the pool for constructing signatures.
 
#define MAX_ARGS_IN_SIGNATURE   16
 A limit on the number of arguments in a randomly generated function signature.
 
#define MAX_TOTAL_FUZZ_FIELDS   256
 A global limit on the total number of primitive fields in a single generated type graph to prevent timeouts.
 
#define DEFINE_CONSUME_T(type)
 

Functions

static const uint8_t * consume_bytes (fuzzer_input *in, size_t n)
 
infix_typegenerate_random_type (infix_arena_t *arena, fuzzer_input *in, int depth, size_t *total_fields)
 Recursively generates a random infix_type graph from a fuzzer input stream.
 

Detailed Description

Common definitions, structures, and helpers for all fuzzer targets.

Copyright (c) 2025 Sanko Robinson

This source code is dual-licensed under the Artistic License 2.0 or the MIT License. You may choose to use this code under the terms of either license.

SPDX-License-Identifier: (Artistic-2.0 OR MIT)

The documentation blocks within this file are licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0).

SPDX-License-Identifier: CC-BY-4.0

Macro Definition Documentation

◆ DEFINE_CONSUME_T

#define DEFINE_CONSUME_T (   type)
Value:
static inline bool consume_##type(fuzzer_input * in, type * out) { \
const uint8_t * bytes = consume_bytes(in, sizeof(type)); \
if (!bytes) \
return false; \
memcpy(out, bytes, sizeof(type)); \
return true; \
}
consume_bytes
static const uint8_t * consume_bytes(fuzzer_input *in, size_t n)
Definition fuzz_helpers.h:79
fuzzer_input
Represents the fuzzer's input data as a consumable stream.
Definition fuzz_helpers.h:62

◆ MAX_ARGS_IN_SIGNATURE

#define MAX_ARGS_IN_SIGNATURE   16

A limit on the number of arguments in a randomly generated function signature.

◆ MAX_ARRAY_ELEMENTS

#define MAX_ARRAY_ELEMENTS   128

A limit on the number of elements in a randomly generated array.

◆ MAX_MEMBERS

#define MAX_MEMBERS   16

A limit on the number of members in a randomly generated struct or union.

◆ MAX_RECURSION_DEPTH

#define MAX_RECURSION_DEPTH   32

A hard limit on the recursion depth for generate_random_type to prevent stack overflows.

◆ MAX_TOTAL_FUZZ_FIELDS

#define MAX_TOTAL_FUZZ_FIELDS   256

A global limit on the total number of primitive fields in a single generated type graph to prevent timeouts.

◆ MAX_TYPES_IN_POOL

#define MAX_TYPES_IN_POOL   16

The number of random types to generate and place in the pool for constructing signatures.

Function Documentation

◆ consume_bytes()

static const uint8_t * consume_bytes ( fuzzer_input in,
size_t  n 
)
inlinestatic

◆ generate_random_type()

infix_type * generate_random_type ( infix_arena_t arena,
fuzzer_input in,
int  depth,
size_t *  total_fields 
)

Recursively generates a random infix_type graph from a fuzzer input stream.

This is the core of the structure-aware type fuzzer. It consumes bytes from the input to probabilistically build a complex, potentially nested type.

Parameters
arenaThe memory arena for allocating the generated types.
inThe fuzzer input stream.
depthThe current recursion depth.
total_fieldsA counter for the total number of primitive fields generated.
Returns
A pointer to a newly generated infix_type, or nullptr on failure.

This function consumes bytes from the fuzzer_input to make decisions about what kind of type to generate. It can create primitives, pointers, arrays, structs (packed and regular), and unions. For composite types, it calls itself recursively to generate member or element types.

To prevent timeouts and stack overflows from pathological inputs, the function enforces two key limits:

  • MAX_RECURSION_DEPTH: Limits how deeply types can be nested (e.g., struct within a struct).
  • MAX_TOTAL_FUZZ_FIELDS: Limits the total number of primitive fields in the entire graph.

Once a limit is reached, the recursion terminates by generating a simple primitive type.

Parameters
arenaThe memory arena to allocate the new infix_type objects into.
inA pointer to the fuzzer input stream. The stream is consumed as types are generated.
depthThe current recursion depth.
total_fieldsA pointer to a counter for the total number of fields generated so far.
Returns
A pointer to the newly generated infix_type, or nullptr if generation fails or input is exhausted.