honggfuzz/dict.c at master · google/honggfuzz · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
/*
 *
 * honggfuzz - dictionary utilities
 * -----------------------------------------
 *
 * Author: Robert Swiecki <swiecki@google.com>
 *
 * Copyright 2010-2018 by Google Inc. All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may
 * not use this file except in compliance with the License. You may obtain
 * a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * permissions and limitations under the License.
 *
 */

#include "dict.h"

#include <pthread.h>
#include <stdbool.h>
#include <stdint.h>
#include <string.h>

#include "libhfcommon/common.h"
#include "libhfcommon/log.h"

/* Mutex for thread-safe dictionary operations */
static pthread_mutex_t dict_mutex = PTHREAD_MUTEX_INITIALIZER;

/* Statistics */
static size_t dict_duplicatesSkipped = 0;

/*
 * Simple hash function for dictionary entries (FNV-1a)
 */
static inline uint32_t dict_hash(const uint8_t* data, size_t len) {
    uint32_t hash = 2166136261u;
    for (size_t i = 0; i < len; i++) {
        hash ^= data[i];
        hash *= 16777619u;
    }
    return hash;
}

/*
 * Hash table for fast duplicate lookups.
 * Uses open addressing with linear probing.
 * Size is 64K to keep load factor low for large dictionaries.
 */
#define DICT_HASH_SIZE 65536
#define DICT_HASH_MASK (DICT_HASH_SIZE - 1)

/* Hash table entries: index into dictionary array, 0 means empty, index+1 stored */
static uint16_t dict_hashTable[DICT_HASH_SIZE];

/*
 * Check if entry exists in dictionary.
 * Caller must hold dict_mutex.
 */
static bool dict_existsLocked(honggfuzz_t* hfuzz, const uint8_t* data, size_t len) {
    if (len == 0 || len > sizeof(hfuzz->mutate.dictionary[0].val)) {
        return false;
    }

    uint32_t hash  = dict_hash(data, len);
    uint32_t idx   = hash & DICT_HASH_MASK;
    uint32_t start = idx;

    do {
        uint16_t entry = dict_hashTable[idx];
        if (entry == 0) {
            /* Empty slot - not found */
            return false;
        }

        /* entry is index+1, so actual index is entry-1 */
        size_t dictIdx = entry - 1;
        if (dictIdx < hfuzz->mutate.dictionaryCnt) {
            if (hfuzz->mutate.dictionary[dictIdx].len == len &&
                memcmp(hfuzz->mutate.dictionary[dictIdx].val, data, len) == 0) {
                return true;
            }
        }

        /* Linear probing */
        idx = (idx + 1) & DICT_HASH_MASK;
    } while (idx != start);

    return false;
}

/*
 * Insert entry into hash table.
 * Caller must hold dict_mutex.
 */
static void dict_hashInsert(const uint8_t* data, size_t len, size_t dictIdx) {
    uint32_t hash  = dict_hash(data, len);
    uint32_t idx   = hash & DICT_HASH_MASK;
    uint32_t start = idx;

    do {
        if (dict_hashTable[idx] == 0) {
            dict_hashTable[idx] = (uint16_t)(dictIdx + 1);
            return;
        }
        idx = (idx + 1) & DICT_HASH_MASK;
    } while (idx != start);

    /* Hash table full - should not happen with proper sizing */
}

bool dict_exists(honggfuzz_t* hfuzz, const uint8_t* data, size_t len) {
    MX_SCOPED_LOCK(&dict_mutex);
    return dict_existsLocked(hfuzz, data, len);
}

bool dict_add(honggfuzz_t* hfuzz, const uint8_t* data, size_t len) {
    if (len < 1 || len > sizeof(hfuzz->mutate.dictionary[0].val)) {
        return false;
    }

    MX_SCOPED_LOCK(&dict_mutex);

    /* Check if dictionary is full */
    if (hfuzz->mutate.dictionaryCnt >= ARRAYSIZE(hfuzz->mutate.dictionary)) {
        LOG_D("Dictionary full, cannot add entry of len=%zu", len);
        return false;
    }

    /* Check for duplicates */
    if (dict_existsLocked(hfuzz, data, len)) {
        dict_duplicatesSkipped++;
        LOG_D("Skipping duplicate dictionary entry '%.*s' (len=%zu, total dups=%zu)", (int)len,
            data, len, dict_duplicatesSkipped);
        return false;
    }

    /* Add to dictionary */
    size_t idx = hfuzz->mutate.dictionaryCnt++;
    memcpy(hfuzz->mutate.dictionary[idx].val, data, len);
    hfuzz->mutate.dictionary[idx].len = len;

    /* Add to hash table */
    dict_hashInsert(data, len, idx);

    LOG_D("Added dictionary entry #%zu '%.*s' (len=%zu)", idx, (int)len, data, len);

    return true;
}

bool dict_addString(honggfuzz_t* hfuzz, const char* str) {
    if (!str) {
        return false;
    }
    size_t len = strlen(str);
    return dict_add(hfuzz, (const uint8_t*)str, len);
}

size_t dict_count(honggfuzz_t* hfuzz) {
    return hfuzz->mutate.dictionaryCnt;
}

bool dict_isFull(honggfuzz_t* hfuzz) {
    return hfuzz->mutate.dictionaryCnt >= ARRAYSIZE(hfuzz->mutate.dictionary);
}

size_t dict_getDuplicateCount(void) {
    return dict_duplicatesSkipped;
}

void dict_logStats(honggfuzz_t* hfuzz) {
    LOG_I("Dictionary stats: %zu entries, %zu duplicates skipped", hfuzz->mutate.dictionaryCnt,
        dict_duplicatesSkipped);
}