Mutations almost completely refactored

Author: Rumata888

tooling/greybox_fuzzer/src/mutation/array.rs

@@ -1,15 +1,20 @@
+use std::cmp::min;
+
 use noirc_abi::input_parser::InputValue;
 use rand::Rng;
 use rand_xorshift::XorShiftRng;
 
 use crate::mutation::configurations::{SpliceMutation, BASIC_SPLICE_MUTATION_CONFIGURATION};
 
-use super::configurations::{SpliceCandidate, BASIC_SPLICE_CANDIDATE_PRIORITIZATION_CONFIGURATION};
-struct ArraySplicer<'a> {
+use super::configurations::{
+    SpliceCandidate, StructuralMutation, BASIC_SPLICE_CANDIDATE_PRIORITIZATION_CONFIGURATION,
+    BASIC_STRUCTURE_MUTATION_CONFIGURATION, BASIC_VECTOR_STRUCTURE_MUTATION_CONFIGURATION,
+};
+struct ArrayMutator<'a> {
     prng: &'a mut XorShiftRng,
 }
 
-impl<'a> ArraySplicer<'a> {
+impl<'a> ArrayMutator<'a> {
     pub fn new(prng: &'a mut XorShiftRng) -> Self {
         Self { prng }
     }
@@ -99,13 +104,108 @@ impl<'a> ArraySplicer<'a> {
         };
         InputValue::Vec(result)
     }
+
+    /// Perform one of structural mutations on the vector of input values
+    pub fn perform_structure_mutation_on_vector(
+        &mut self,
+        input_buffer: &Vec<InputValue>,
+    ) -> Vec<InputValue> {
+        let result = match BASIC_VECTOR_STRUCTURE_MUTATION_CONFIGURATION.select(self.prng) {
+            StructuralMutation::ChaoticSelfSplice => {
+                self.chaotic_splice(input_buffer, input_buffer)
+            }
+            StructuralMutation::ChunkDuplication => self.duplicate_chunk(input_buffer),
+            StructuralMutation::Swap => self.swap(input_buffer),
+            StructuralMutation::RandomValueDuplication => {
+                panic!("Vector mutations should have a value duplication weight of zero")
+            }
+        };
+
+        result
+    }
+
+    /// Perform structural mutations on a InputValue that is a vector
+    fn perform_structure_mutation(&mut self, input_buffer: &InputValue) -> InputValue {
+        let input_vec = match input_buffer {
+            InputValue::Vec(internal_vector) => internal_vector,
+            _ => panic!("Expect to get a vector input value"),
+        };
+        InputValue::Vec(self.perform_structure_mutation_on_vector(input_vec))
+    }
+    /// Swap 2 random chunks in the buffer
+    fn swap(&mut self, buffer: &Vec<InputValue>) -> Vec<InputValue> {
+        let mut result = Vec::new();
+        let buffer_length = buffer.len();
+
+        // We need to leave at least the last byte for the second chunk
+        let first_chunk_position = self.prng.gen_range(0..(buffer_length - 1));
+
+        // The second chunk starts after the first
+        let second_chunk_position = self.prng.gen_range((first_chunk_position + 1)..buffer_length);
+
+        let first_chunk_end =
+            self.prng.gen_range((first_chunk_position + 1)..=second_chunk_position);
+
+        let second_chunk_end = self.prng.gen_range((second_chunk_position + 1)..=buffer_length);
+
+        // Leave the start in place
+        result.extend_from_slice(&buffer[0..first_chunk_position]);
+
+        // Insert second chunk
+        result.extend_from_slice(&buffer[second_chunk_position..(second_chunk_end)]);
+
+        // Insert what's in between the chunks
+        result.extend_from_slice(&buffer[first_chunk_end..(second_chunk_position)]);
+
+        // Insert first chunk
+        result.extend_from_slice(&buffer[first_chunk_position..first_chunk_end]);
+
+        // Insert the tail
+        result.extend_from_slice(&buffer[second_chunk_end..buffer_length]);
+
+        result
+    }
+
+    /// Take a random chunk of the input and insert it several times into the input
+    fn duplicate_chunk(&mut self, input_buffer: &Vec<InputValue>) -> Vec<InputValue> {
+        let mut result = input_buffer.clone();
+        let buffer_length = input_buffer.len();
+        // The maximum length of the chunk is half the total length
+        let maximum_chunk_length = buffer_length / 2;
+
+        // Get a random position for the chunk
+        let chunk_position = self.prng.gen_range(0..=buffer_length - 1);
+
+        // Pick size
+        let chunk_size =
+            self.prng.gen_range(1..=min(buffer_length - chunk_position, maximum_chunk_length));
+
+        // Find an insertion position with enough space
+        let insertion_position = self.prng.gen_range(0..(buffer_length - chunk_size));
+
+        // Determine how many times to repeat
+        let maximum_insertion_count = (buffer_length - insertion_position) / chunk_size;
+        let insertion_count = self.prng.gen_range(0..=maximum_insertion_count);
+        for i in 0..insertion_count {
+            result.splice(
+                (insertion_position + i * chunk_size)..(insertion_position + (i + 1) * chunk_size),
+                input_buffer[chunk_position..(chunk_position + chunk_size)].iter().cloned(),
+            );
+        }
+        result
+    }
 }
 
 pub fn splice_array_structure(
     first_input: &InputValue,
     second_input: &InputValue,
     prng: &mut XorShiftRng,
 ) -> InputValue {
-    let mut array_splicer = ArraySplicer::new(prng);
+    let mut array_splicer = ArrayMutator::new(prng);
     array_splicer.splice(first_input, second_input)
 }
+
+pub fn mutate_vector_structure(input: &Vec<InputValue>, prng: &mut XorShiftRng) -> Vec<InputValue> {
+    let mut array_mutator = ArrayMutator::new(prng);
+    array_mutator.perform_structure_mutation_on_vector(input)
+}

tooling/greybox_fuzzer/src/mutation/configurations.rs

@@ -505,6 +505,54 @@ impl TopLevelFieldElementMutationConfiguration {
     }
 }
 
+pub enum TestCaseSpliceType {
+    /// Around 50% for each top-level element
+    BalancedTopLevel,
+    /// 80/20 for each element at lower level
+    UnbalancedFull,
+    /// One element merged into the main testcase
+    SingleElementImport,
+}
+
+pub(crate) struct TestCaseSpliceConfiguration {
+    balanced_top_level_weight: usize,
+    unbalanced_full_weight: usize,
+    #[allow(unused)]
+    single_element_import_weight: usize,
+    total_weight: usize,
+}
+
+impl TestCaseSpliceConfiguration {
+    #[allow(unused)]
+    pub fn new(
+        balanced_top_level_weight: usize,
+        unbalanced_full_weight: usize,
+        single_element_import_weight: usize,
+    ) -> Self {
+        let total_weight =
+            balanced_top_level_weight + unbalanced_full_weight + single_element_import_weight;
+        Self {
+            balanced_top_level_weight,
+            unbalanced_full_weight,
+            single_element_import_weight,
+            total_weight,
+        }
+    }
+
+    /// Select a mutation according to weights
+    pub fn select(&self, prng: &mut XorShiftRng) -> TestCaseSpliceType {
+        let mut selector = prng.gen_range(0..self.total_weight);
+        if selector < self.balanced_top_level_weight {
+            return TestCaseSpliceType::BalancedTopLevel;
+        }
+        selector -= self.balanced_top_level_weight;
+        if selector < self.unbalanced_full_weight {
+            return TestCaseSpliceType::UnbalancedFull;
+        }
+        return TestCaseSpliceType::SingleElementImport;
+    }
+}
+
 /// Default configurations for all mutations that are currently used
 
 pub(crate) const BASIC_SPLICE_MUTATION_CONFIGURATION: SpliceMutationConfiguration =
@@ -515,9 +563,9 @@ pub(crate) const BASIC_SPLICE_MUTATION_CONFIGURATION: SpliceMutationConfiguratio
     };
 pub(crate) const BASIC_UNBALANCED_ARRAY_SPLICE_MUTATION_CONFIGURATION:
     UnbalancedArraySpliceConfiguration = UnbalancedArraySpliceConfiguration {
-    array_specific_weight: 1,
-    recurse_weight: 1,
-    total_weight: 1 + 1,
+    array_specific_weight: 11,
+    recurse_weight: 9,
+    total_weight: 11 + 9,
 };
 pub(crate) const BASIC_BYTE_VALUE_MUTATION_CONFIGURATION: ByteValueMutationConfiguration =
     ByteValueMutationConfiguration {
@@ -535,9 +583,9 @@ pub(crate) const DICTIONARY_EMPTY_BYTE_VALUE_MUTATION_CONFIGURATION:
 
 pub(crate) const BASIC_SPLICE_CANDIDATE_PRIORITIZATION_CONFIGURATION:
     SpliceCandidatePrioritizationConfiguration = SpliceCandidatePrioritizationConfiguration {
-    first_weight: 2,
-    second_weight: 1,
-    total_weight: 2 + 1,
+    first_weight: 11,
+    second_weight: 10,
+    total_weight: 11 + 10,
 };
 
 pub(crate) const BASIC_STRUCTURE_MUTATION_CONFIGURATION: StructuralMutationConfiguration =
@@ -608,3 +656,21 @@ pub(crate) const BASIC_TOPLEVEL_FIELD_ELEMENT_MUTATION_CONFIGURATION:
     dictionary_update_weight: 10,
     total_weight: 10 + 1 + 5 + 10 + 10,
 };
+
+pub(crate) const BASIC_TESTCASE_SPLICE_CONFIGURATION: TestCaseSpliceConfiguration =
+    TestCaseSpliceConfiguration {
+        balanced_top_level_weight: 1,
+        unbalanced_full_weight: 1,
+        single_element_import_weight: 2,
+        total_weight: 1 + 1 + 2,
+    };
+
+/// Generic vector structural mutation configuration (random value duplication weight MUST stay zero)
+pub(crate) const BASIC_VECTOR_STRUCTURE_MUTATION_CONFIGURATION: StructuralMutationConfiguration =
+    StructuralMutationConfiguration {
+        chaotic_self_splice_weight: 3,
+        chunk_duplication_weight: 2,
+        random_value_duplication_weight: 0,
+        swap_weight: 3,
+        total_weight: 3 + 2 + 0 + 3,
+    };